rms | b55cf23b9c1295cb522a86734d55de3a3263e63fc58bb4004de54fd4475c531e

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe
Size

6.7MB
MD5

3c4993b2cba2e109bfb33d6e78fa1880
SHA1

db17088deb0a3860013b390b0ef184ea061209fc
SHA256

b55cf23b9c1295cb522a86734d55de3a3263e63fc58bb4004de54fd4475c531e
SHA512

d63b9c7bd3583c7eea61b098070a03e99ccf2525ecda19da08639900061b9bbf117f6a678d15eb75876f6ba073cdc00f5a48bd5c8606575e10c5fa9a6b3e4171

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 5 IoCs

pid	Process
1692	rfusclient.exe
1852	rfusclient.exe
1180	rutserv.exe
776	rutserv.exe
1620	rfusclient.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	rutserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Loads dropped DLL 7 IoCs

pid	Process
1892	cmd.exe
1692	rfusclient.exe
1692	rfusclient.exe
1852	rfusclient.exe
1852	rfusclient.exe
1852	rfusclient.exe
1852	rfusclient.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1180	rutserv.exe
1180	rutserv.exe
1180	rutserv.exe
1180	rutserv.exe
1180	rutserv.exe
776	rutserv.exe
776	rutserv.exe
776	rutserv.exe
776	rutserv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	rutserv.exe
Token: SeTakeOwnershipPrivilege	776	rutserv.exe
Token: SeTcbPrivilege	776	rutserv.exe
Token: SeTcbPrivilege	776	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1620	rfusclient.exe
1620	rfusclient.exe
1620	rfusclient.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1620	rfusclient.exe
1620	rfusclient.exe
1620	rfusclient.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1180	rutserv.exe
1180	rutserv.exe
1180	rutserv.exe
1180	rutserv.exe
776	rutserv.exe
776	rutserv.exe
776	rutserv.exe
776	rutserv.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1892	960	B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe	27
PID 960 wrote to memory of 1892	960	B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe	27
PID 960 wrote to memory of 1892	960	B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe	27
PID 960 wrote to memory of 1892	960	B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe	27
PID 960 wrote to memory of 1892	960	B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe	27
PID 960 wrote to memory of 1892	960	B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe	27
PID 960 wrote to memory of 1892	960	B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe	27
PID 1892 wrote to memory of 1692	1892	cmd.exe	29
PID 1892 wrote to memory of 1692	1892	cmd.exe	29
PID 1892 wrote to memory of 1692	1892	cmd.exe	29
PID 1892 wrote to memory of 1692	1892	cmd.exe	29
PID 1692 wrote to memory of 1852	1692	rfusclient.exe	30
PID 1692 wrote to memory of 1852	1692	rfusclient.exe	30
PID 1692 wrote to memory of 1852	1692	rfusclient.exe	30
PID 1692 wrote to memory of 1852	1692	rfusclient.exe	30
PID 1852 wrote to memory of 1180	1852	rfusclient.exe	31
PID 1852 wrote to memory of 1180	1852	rfusclient.exe	31
PID 1852 wrote to memory of 1180	1852	rfusclient.exe	31
PID 1852 wrote to memory of 1180	1852	rfusclient.exe	31
PID 776 wrote to memory of 1620	776	rutserv.exe	33
PID 776 wrote to memory of 1620	776	rutserv.exe	33
PID 776 wrote to memory of 1620	776	rutserv.exe	33
PID 776 wrote to memory of 1620	776	rutserv.exe	33

C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe
"C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
    rfusclient.exe -deploy
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe" -run_agent
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
        
        "C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1180
      - C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
        
        C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe -second
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
        
        C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe /tray /user
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

Filesize
114KB

MD5
c3d7db3461db0dbb8a1d2a937b1d6252

SHA1
35fafe6c6812f20454c709b0a43a21bf7e9f66bf

SHA256
cf8e39ce145e36d672cb2a140b3f33e0a1337975d7840e1d6a1920ce560bba46

SHA512
9759895e5d4f289e6227f65f46b24ad7f2607443bebd9b039f1cf42bd74c986a597d5de4bef70510c4463874a01695ca2f7ccbd231d6ef5316250d7492c48675

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

Filesize
52KB

MD5
294227da6f9c610c49d38e3965bcdb71

SHA1
a6f694235a68fe35ece21d39e736e16053f4b91d

SHA256
55fb4c823838b383d077b5c45df2be5fa47abc798054701c23fde5f312379755

SHA512
0f3661ca19385d08bbee4419178f7bf9ee7701385c981b94fe81a60438f486c8bea2c048b1bdaf1387265e2d4a1ed4cec2558b7f7fa6d69916c5abbb0b7689a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

Filesize
150KB

MD5
59068498190113e051d94fd0b5ef98aa

SHA1
6b64bb29763c43a86a4be87fcbc94b2f4697ced3

SHA256
097c87769734699254c4f85a6268539c2d90245650930f44d245e75bcc4a3e46

SHA512
f7093d9b544fcbd3d7336b42eb9c79e17aa2b01910b3a1a23e23036d6230116e1dc3bde0602ab18efcd53c184c77d57348b2dea889c313a4a605d0714ec35ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

Filesize
966KB

MD5
56c10161ff350d143fe51affe777d19f

SHA1
54abec9bcf95904b666fa5dbdc9b976acb59e79d

SHA256
4d4dd771e72a4654063dfb06dafef1fd0701ed93c407e68b0f10782e453564c8

SHA512
229fdf7503f76ed00f05711c58d1978df9327b085c750873714a52e10db7d53bc702e800d280bb086faa3b360f0b2eecf7aa953b0f9ed1be7eabdd9793493d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Russian.lg

Filesize
57KB

MD5
cc99020d311e97d6127ab9ddd44c980b

SHA1
57746de06ba0f206f6ef34c453b5d5cc1f00e136

SHA256
37c133f5c437a56c85ee3ca4c921f61c4532b375975c2b2dd9b4b5983e51c66b

SHA512
4122f3ef2e454382967ab3ac4e7d5f44f5156b0a97e6ebe98467d399a4281a72bc1a87f26b7f67893a64dbcb6d34e1b7775effaff969e87873b42c43eca336fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

Filesize
428B

MD5
6b948f51b8645b3a315a5466b615e3c7

SHA1
e96926a39e6a41f1dd40a564d0cfa80edd6e70a4

SHA256
ee7c0246e8c9f100c7acbd09bed0d7633f4f9bd9095c56fc6f64c74c83d61768

SHA512
674ed59e744e99f492d576eb8c1736e0d4b34c9a25fe87fb4dbae4c7fb76c1a45731a3f4eb7823eaae0567da269d6041706b06782047dd1b5ad9c6b494c649cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

Filesize
86B

MD5
90b15937ff9ec75f7016e171bd1261ce

SHA1
3fa80c58e8bf6c3ab356047cfaa14187328c3732

SHA256
eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a

SHA512
993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
25B

MD5
9b7ac054975f8f7b6fe9a41a18e2d6e7

SHA1
d820008d3732f37a7e4030c4bd414e3764de1af7

SHA256
815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255

SHA512
806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

Filesize
754KB

MD5
8c36cac6a4b532366bd357139715f64f

SHA1
a05f193ccb47474323598df7325a9cf2400da91c

SHA256
49529ab38016ca0fa715456b0eed7569741b7370f0bb828b6d21edcdd8730b0a

SHA512
eaa525dc4138b6df7f4cb24a37a413fe1446fb20b852fadc284ebd2636177900553e5794d2da0af3e6a33cf07b003359f0622477157f57587eb524494095e564

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
b274f6fe4595bd970e2a14ca27c0ed51

SHA1
1829e2c4c725e363b566dd0267265dd84f3f924d

SHA256
6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

SHA512
237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
b274f6fe4595bd970e2a14ca27c0ed51

SHA1
1829e2c4c725e363b566dd0267265dd84f3f924d

SHA256
6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

SHA512
237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

Filesize
9.5MB

MD5
d10dae1197db0b694c832ae512b34024

SHA1
24757c07c814d53ded645547bc53e29c98919077

SHA256
74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

SHA512
f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

Filesize
5KB

MD5
b16ea675ebd94251048b55bfb0fc9c2a

SHA1
b39e923cfeca6d05de88f3a815af42cc754905af

SHA256
5b13a17d77f6f8eec9f20c3155bfdc39d09c5b668929fc46295b480b896851b0

SHA512
03636f9c47bb0c85ce76b3a6439da42ec94c9417dffeebe292566bda2620f31d4b0836fe38bfb5e4d3299d192a6aa34eed867bc1f8ba050dad344ddbe30c2959

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

Filesize
380KB

MD5
1ea62293ac757a0c2b64e632f30db636

SHA1
8c8ac6f8f28f432a514c3a43ea50c90daf66bfba

SHA256
970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df

SHA512
857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

Filesize
1.6MB

MD5
89770647609ac26c1bbd9cf6ed50954e

SHA1
349eed120070bab7e96272697b39e786423ac1d3

SHA256
7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4

SHA512
a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

Filesize
260KB

MD5
d29f7070ee379544aeb19913621c88e6

SHA1
499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be

SHA256
654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf

SHA512
4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

Filesize
365KB

MD5
7a9eeac3ceaf7f95f44eb5c57b4db2e3

SHA1
be1048c254aa3114358f76d08c55667c4bf2d382

SHA256
b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88

SHA512
b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

Filesize
860KB

MD5
5308b9945e348fbe3a480be06885434c

SHA1
5c3cb39686cca3e9586e4b405fc8e1853caaf8ff

SHA256
9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a

SHA512
4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

Download Submit
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

Filesize
5.5MB

MD5
b274f6fe4595bd970e2a14ca27c0ed51

SHA1
1829e2c4c725e363b566dd0267265dd84f3f924d

SHA256
6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

SHA512
237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Download Submit
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

Filesize
5.5MB

MD5
b274f6fe4595bd970e2a14ca27c0ed51

SHA1
1829e2c4c725e363b566dd0267265dd84f3f924d

SHA256
6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

SHA512
237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Download Submit
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

Filesize
5.5MB

MD5
b274f6fe4595bd970e2a14ca27c0ed51

SHA1
1829e2c4c725e363b566dd0267265dd84f3f924d

SHA256
6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

SHA512
237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Download Submit
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

Filesize
9.5MB

MD5
d10dae1197db0b694c832ae512b34024

SHA1
24757c07c814d53ded645547bc53e29c98919077

SHA256
74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

SHA512
f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

Download Submit
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

Filesize
9.5MB

MD5
d10dae1197db0b694c832ae512b34024

SHA1
24757c07c814d53ded645547bc53e29c98919077

SHA256
74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

SHA512
f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
b274f6fe4595bd970e2a14ca27c0ed51

SHA1
1829e2c4c725e363b566dd0267265dd84f3f924d

SHA256
6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

SHA512
237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
b274f6fe4595bd970e2a14ca27c0ed51

SHA1
1829e2c4c725e363b566dd0267265dd84f3f924d

SHA256
6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

SHA512
237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Download Submit
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

Filesize
5.5MB

MD5
b274f6fe4595bd970e2a14ca27c0ed51

SHA1
1829e2c4c725e363b566dd0267265dd84f3f924d

SHA256
6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0

SHA512
237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Download Submit
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

Filesize
9.5MB

MD5
d10dae1197db0b694c832ae512b34024

SHA1
24757c07c814d53ded645547bc53e29c98919077

SHA256
74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

SHA512
f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

Download Submit
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

Filesize
9.5MB

MD5
d10dae1197db0b694c832ae512b34024

SHA1
24757c07c814d53ded645547bc53e29c98919077

SHA256
74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

SHA512
f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

Download Submit
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

Filesize
9.5MB

MD5
d10dae1197db0b694c832ae512b34024

SHA1
24757c07c814d53ded645547bc53e29c98919077

SHA256
74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

SHA512
f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

Download Submit
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

Filesize
9.5MB

MD5
d10dae1197db0b694c832ae512b34024

SHA1
24757c07c814d53ded645547bc53e29c98919077

SHA256
74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be

SHA512
f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

Download Submit
memory/960-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download