Malware Analysis Report

2024-11-13 16:21

Sample ID 220516-cr4xbscfap
Target 915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b
SHA256 915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b
Tags
upx rms aspackv2 rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b

Threat Level: Known bad

The file 915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b was found to be: Known bad.

Malicious Activity Summary

upx rms aspackv2 rat trojan

RMS

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

ASPack v2.12-2.42

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: SetClipboardViewer

Runs .reg file with regedit

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-16 02:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-16 02:19

Reported

2022-05-16 02:22

Platform

win7-20220414-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_7074473 C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe C:\Windows\SysWOW64\WScript.exe
PID 736 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe C:\Windows\SysWOW64\WScript.exe
PID 736 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe C:\Windows\SysWOW64\WScript.exe
PID 736 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe C:\Windows\SysWOW64\WScript.exe
PID 1868 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2024 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2024 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2024 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2024 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2024 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2024 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2024 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2024 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2024 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2024 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2024 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2024 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2024 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2024 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2024 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2024 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 2024 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1396 wrote to memory of 1016 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1396 wrote to memory of 1016 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1396 wrote to memory of 1016 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1396 wrote to memory of 1016 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1396 wrote to memory of 1984 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1396 wrote to memory of 1984 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1396 wrote to memory of 1984 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1396 wrote to memory of 1984 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1016 wrote to memory of 1860 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1016 wrote to memory of 1860 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1016 wrote to memory of 1860 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1016 wrote to memory of 1860 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe

"C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/736-54-0x0000000076851000-0x0000000076853000-memory.dmp

memory/1868-55-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 65fc32766a238ff3e95984e325357dbb
SHA1 3ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256 a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

C:\Program Files (x86)\System\install.bat

MD5 99db27d776e103cad354b531ee1f20b9
SHA1 0b82d146df8528f66d1d14756f211fd3a8b1b91a
SHA256 240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3
SHA512 bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69

memory/2024-59-0x0000000000000000-mapping.dmp

memory/1712-60-0x0000000000000000-mapping.dmp

memory/1956-61-0x0000000000000000-mapping.dmp

memory/1740-62-0x0000000000000000-mapping.dmp

memory/360-63-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\regedit.reg

MD5 e07d9ed7f410a5b1ee9b9d790c21dccd
SHA1 bf6b1a88220c78f6502399c6ddbcc30fa21a880c
SHA256 84bb424fe3412a9bff5284101e7dd0ee615a33094c4f404062e25f97fbac5d26
SHA512 699eafb0cffa275b4d72a3356bd2c163e418ad961f5448b91deb809eb147691be29d4d468b295cbb08f0ca21e8c9999fa185ffe2682c5b35317ab7827f8a083c

memory/1280-66-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1808-69-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1808-72-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1808-73-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1808-75-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1808-76-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1808-74-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1808-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-78-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1968-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-83-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-85-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1968-86-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1556-87-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1556-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1556-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1556-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1556-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1556-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1396-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1396-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1396-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1396-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1396-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1016-106-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1984-109-0x0000000000000000-mapping.dmp

memory/1016-112-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1016-113-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1016-115-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1984-114-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1016-117-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1984-116-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1984-118-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1016-119-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1984-121-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1984-122-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1556-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1860-123-0x0000000000000000-mapping.dmp

memory/1860-131-0x0000000000400000-0x00000000009B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-16 02:19

Reported

2022-05-16 02:22

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rutserv.pdb C:\Program Files (x86)\System\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb C:\Program Files (x86)\System\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb C:\Program Files (x86)\System\rutserv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_240547640 C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.pdb C:\Program Files (x86)\System\rutserv.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4220 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe C:\Windows\SysWOW64\WScript.exe
PID 4220 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe C:\Windows\SysWOW64\WScript.exe
PID 4220 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe C:\Windows\SysWOW64\WScript.exe
PID 1988 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4360 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4360 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4360 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4360 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4360 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4360 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4360 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4360 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4360 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4360 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4360 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4360 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4360 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4360 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4360 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4360 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4360 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4360 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4360 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4360 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4360 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4360 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4360 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 4580 wrote to memory of 4668 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4580 wrote to memory of 4660 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4580 wrote to memory of 4660 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4580 wrote to memory of 4660 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4580 wrote to memory of 4668 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4580 wrote to memory of 4668 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4668 wrote to memory of 2736 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4668 wrote to memory of 2736 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe
PID 4668 wrote to memory of 2736 N/A C:\Program Files (x86)\System\rfusclient.exe C:\Program Files (x86)\System\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe

"C:\Users\Admin\AppData\Local\Temp\915738e4e4df8462f006d169a1cdebc3f311f7250b794281f78fa24d90586e4b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 104.22.67.195:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 95.213.205.83:563 rms-server.tektonit.ru tcp

Files

memory/1988-130-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 65fc32766a238ff3e95984e325357dbb
SHA1 3ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256 a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

C:\Program Files (x86)\System\install.bat

MD5 99db27d776e103cad354b531ee1f20b9
SHA1 0b82d146df8528f66d1d14756f211fd3a8b1b91a
SHA256 240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3
SHA512 bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69

memory/4360-133-0x0000000000000000-mapping.dmp

memory/2584-134-0x0000000000000000-mapping.dmp

memory/1020-135-0x0000000000000000-mapping.dmp

memory/2628-136-0x0000000000000000-mapping.dmp

memory/1924-137-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\regedit.reg

MD5 e07d9ed7f410a5b1ee9b9d790c21dccd
SHA1 bf6b1a88220c78f6502399c6ddbcc30fa21a880c
SHA256 84bb424fe3412a9bff5284101e7dd0ee615a33094c4f404062e25f97fbac5d26
SHA512 699eafb0cffa275b4d72a3356bd2c163e418ad961f5448b91deb809eb147691be29d4d468b295cbb08f0ca21e8c9999fa185ffe2682c5b35317ab7827f8a083c

memory/2376-139-0x0000000000000000-mapping.dmp

memory/3088-140-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/3088-143-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3088-144-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3088-145-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3088-146-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3088-147-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3088-148-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4252-149-0x0000000000000000-mapping.dmp

memory/4252-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4252-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4252-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4252-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4252-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4252-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4632-157-0x0000000000000000-mapping.dmp

memory/4632-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4632-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4632-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4632-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4632-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4580-165-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4580-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4580-166-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4580-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4580-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

memory/4660-173-0x0000000000000000-mapping.dmp

memory/4668-174-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/4660-178-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-179-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-181-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4660-182-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-183-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-185-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4660-184-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4660-186-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4668-187-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4660-180-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4632-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2736-188-0x0000000000000000-mapping.dmp

memory/2736-190-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-192-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-193-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-191-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-194-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-195-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4580-196-0x0000000000400000-0x0000000000AB9000-memory.dmp