Malware Analysis Report

2024-11-13 16:21

Sample ID 220516-cjvzfsccbr
Target 2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83
SHA256 2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83
Tags
rms aspackv2 evasion rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83

Threat Level: Known bad

The file 2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83 was found to be: Known bad.

Malicious Activity Summary

rms aspackv2 evasion rat trojan upx

RMS

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

ASPack v2.12-2.42

Sets file to hidden

Loads dropped DLL

Checks computer location settings

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Runs .reg file with regedit

Delays execution with timeout.exe

Kills process with taskkill

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: SetClipboardViewer

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-16 02:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-16 02:06

Reported

2022-05-16 02:14

Platform

win10v2004-20220414-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\System C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_240559937 C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\mailsend.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1984 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1984 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 4668 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4676 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4676 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4676 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4676 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4676 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4676 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4676 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4676 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4676 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4676 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4676 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4676 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4676 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4676 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4676 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4676 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4676 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4676 wrote to memory of 1300 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 932 wrote to memory of 4156 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 932 wrote to memory of 4156 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 932 wrote to memory of 4156 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 932 wrote to memory of 4500 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 932 wrote to memory of 4500 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 932 wrote to memory of 4500 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4676 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4676 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4676 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4676 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4500 wrote to memory of 2360 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4500 wrote to memory of 2360 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4500 wrote to memory of 2360 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe

"C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System" +H +S /S /D

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Windows_Defender v6.3"

C:\Windows\SysWOW64\timeout.exe

timeout 120

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
US 20.42.73.25:443 tcp
NL 88.221.144.179:80 tcp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp

Files

memory/4668-130-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 c719a030434d3fa96d62868f27e904a6
SHA1 f2f750a752dd1fda8915a47b082af7cf2d3e3655
SHA256 2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f
SHA512 47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

C:\Program Files (x86)\System\install.bat

MD5 3632bde0237a25acc88651cc059a04db
SHA1 38bc44312b805f688fc9d251a3df0242dcfae1cf
SHA256 8b1edb6951e1eda0670eff719f66919d91afa7e40d0976123df56699594d9e90
SHA512 e439cfcf56721d0af2a920949f3a20860e01e4ed74e6bb6bacab94757eed256b6042aded78518d6c1a077f6bdc269adfa95286fd170e71f2b925ec14ea89d50a

memory/4676-133-0x0000000000000000-mapping.dmp

memory/680-134-0x0000000000000000-mapping.dmp

memory/2240-135-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\mailsend.exe

MD5 ac23b87f8ec60ddd3f555556f89a6af8
SHA1 3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA256 80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA512 57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\regedit.reg

MD5 251212852a073e6fc5fbe3af92f66adb
SHA1 6ee07cb20f57830325c11867e68fea49ae0e87ea
SHA256 f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb
SHA512 f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1956-142-0x0000000000000000-mapping.dmp

memory/3664-143-0x0000000000000000-mapping.dmp

memory/2648-144-0x0000000000000000-mapping.dmp

memory/396-145-0x0000000000000000-mapping.dmp

memory/3024-146-0x0000000000000000-mapping.dmp

memory/2560-147-0x0000000000000000-mapping.dmp

memory/3672-148-0x0000000000000000-mapping.dmp

memory/1996-149-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1996-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1996-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1996-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1996-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1996-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1996-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1300-157-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1300-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1300-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1300-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1300-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1300-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1300-164-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4048-165-0x0000000000000000-mapping.dmp

memory/4048-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4048-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4048-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4048-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4048-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/932-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/932-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/932-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/932-176-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/932-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4156-178-0x0000000000000000-mapping.dmp

memory/4500-179-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/4048-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4500-183-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4500-185-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-184-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-186-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4500-187-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4500-189-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-188-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4500-191-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-190-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4156-192-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/628-193-0x0000000000000000-mapping.dmp

memory/1960-194-0x0000000000000000-mapping.dmp

memory/3540-195-0x0000000000000000-mapping.dmp

memory/808-196-0x0000000000000000-mapping.dmp

memory/2360-197-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2360-199-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2360-200-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2360-201-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2360-202-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2360-203-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2360-204-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/932-205-0x0000000000400000-0x0000000000AB9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-16 02:06

Reported

2022-05-16 02:14

Platform

win7-20220414-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File created C:\Program Files (x86)\System\mailsend.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\id.txt C:\Windows\SysWOW64\reg.exe N/A
File created C:\Program Files (x86)\System\id.txt C:\Windows\SysWOW64\reg.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_7084879 C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Windows\SysWOW64\attrib.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe C:\Windows\SysWOW64\WScript.exe
PID 1080 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1140 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1140 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1140 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1140 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1140 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1140 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1140 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1140 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1140 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe

"C:\Users\Admin\AppData\Local\Temp\2834f08114dd9a0583deb4d44ed36b6bf914d26cb9482c99cbed6e1c5dc4aa83.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System" +H +S /S /D

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Windows_Defender v6.3"

C:\Windows\SysWOW64\timeout.exe

timeout 120

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Windows\SysWOW64\reg.exe

reg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"

C:\Windows\SysWOW64\timeout.exe

timeout 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1624-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

memory/1080-55-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 c719a030434d3fa96d62868f27e904a6
SHA1 f2f750a752dd1fda8915a47b082af7cf2d3e3655
SHA256 2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f
SHA512 47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

C:\Program Files (x86)\System\install.bat

MD5 3632bde0237a25acc88651cc059a04db
SHA1 38bc44312b805f688fc9d251a3df0242dcfae1cf
SHA256 8b1edb6951e1eda0670eff719f66919d91afa7e40d0976123df56699594d9e90
SHA512 e439cfcf56721d0af2a920949f3a20860e01e4ed74e6bb6bacab94757eed256b6042aded78518d6c1a077f6bdc269adfa95286fd170e71f2b925ec14ea89d50a

memory/1140-59-0x0000000000000000-mapping.dmp

memory/828-61-0x0000000000000000-mapping.dmp

memory/1128-63-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\regedit.reg

MD5 251212852a073e6fc5fbe3af92f66adb
SHA1 6ee07cb20f57830325c11867e68fea49ae0e87ea
SHA256 f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb
SHA512 f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

C:\Program Files (x86)\System\mailsend.exe

MD5 ac23b87f8ec60ddd3f555556f89a6af8
SHA1 3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA256 80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA512 57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

memory/1280-71-0x0000000000000000-mapping.dmp

memory/1840-73-0x0000000000000000-mapping.dmp

memory/848-75-0x0000000000000000-mapping.dmp

memory/472-77-0x0000000000000000-mapping.dmp

memory/1972-79-0x0000000000000000-mapping.dmp

memory/1348-81-0x0000000000000000-mapping.dmp

memory/1484-83-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1952-86-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1952-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1952-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1952-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1952-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1952-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1952-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1108-96-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1108-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1108-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1108-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1108-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1108-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1108-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1496-106-0x0000000000000000-mapping.dmp

memory/1496-109-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1496-110-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1496-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1496-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1496-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/632-123-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1608-122-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/632-127-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1608-128-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/632-129-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1608-126-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/632-124-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1496-125-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1608-121-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1368-130-0x0000000000000000-mapping.dmp

memory/1608-131-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/632-132-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2016-134-0x0000000000000000-mapping.dmp

memory/1960-136-0x0000000000000000-mapping.dmp

memory/908-138-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2044-140-0x0000000000000000-mapping.dmp

memory/2044-143-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-144-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-145-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-146-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-147-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-148-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1728-149-0x0000000000000000-mapping.dmp

memory/1468-151-0x0000000000000000-mapping.dmp

memory/1140-153-0x00000000020A0000-0x0000000002759000-memory.dmp