Malware Analysis Report

2024-11-13 16:21

Sample ID 220520-dmaclaehg2
Target fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941
SHA256 fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941
Tags
rms aspackv2 evasion rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941

Threat Level: Known bad

The file fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941 was found to be: Known bad.

Malicious Activity Summary

rms aspackv2 evasion rat trojan upx

RMS

ACProtect 1.3x - 1.4x DLL software

ASPack v2.12-2.42

Executes dropped EXE

Sets file to hidden

UPX packed file

Loads dropped DLL

Checks computer location settings

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Runs .reg file with regedit

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious behavior: SetClipboardViewer

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-20 03:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 03:07

Reported

2022-05-20 03:12

Platform

win7-20220414-en

Max time kernel

164s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_7092195 C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\rms.exe N/A
File created C:\Program Files (x86)\System\mailsend.exe C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\rms.sfx.exe C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File opened for modification C:\Program Files (x86)\System\start.bat C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\rms.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\rms.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\rms.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\rms.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\rms.sfx.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\start.bat C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\rms.sfx.exe C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File created C:\Program Files (x86)\System\start.bat C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\rms.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_7094504 C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\rms.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe C:\Windows\SysWOW64\cmd.exe
PID 332 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rms.sfx.exe
PID 332 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rms.sfx.exe
PID 332 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rms.sfx.exe
PID 332 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rms.sfx.exe
PID 524 wrote to memory of 1252 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 524 wrote to memory of 1252 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 524 wrote to memory of 1252 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 524 wrote to memory of 1252 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 524 wrote to memory of 1252 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 524 wrote to memory of 1252 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 524 wrote to memory of 1252 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 1252 wrote to memory of 1376 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 1252 wrote to memory of 1376 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 1252 wrote to memory of 1376 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 1252 wrote to memory of 1376 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 1252 wrote to memory of 1376 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 1252 wrote to memory of 1376 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 1252 wrote to memory of 1376 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 1376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1632 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe

"C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\System\start.bat" "

C:\Program Files (x86)\System\rms.sfx.exe

rms.sfx.exe -psdsgsadGdsgKdKJASHDJHJhjadhkJASHDK -dc:\

C:\rms.exe

"C:\rms.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System" +H +S /S /D

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Windows_Defender v6.3"

C:\Windows\SysWOW64\timeout.exe

timeout 120

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1728-54-0x0000000076171000-0x0000000076173000-memory.dmp

memory/332-55-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\start.bat

MD5 697e66775761bcafab2582842175ee0f
SHA1 fa1fc9a09336bbec97aa4f8af743875cbf047b60
SHA256 33a896cb9380a6081647bcf1f4957b32d93af2024d3b386b502d6823b63006b3
SHA512 bc70bfe4e28e8a00d836f1257f1d85b5f08915bb163517fe49cab30ce9e3ad4b2302d70658636e394d7f51d145cda75c1b28934da23226c44a2bbb86b0920acf

\Program Files (x86)\System\rms.sfx.exe

MD5 60ef589e653412de1a47d55c666acc96
SHA1 f75f5d11a23ebe5e1a310f5c0a71181bd4ba1c92
SHA256 79a7d13e12ce4716b22e8d7f4507de56c0cc4c0f35159a2af2a84147859c7220
SHA512 15b4563f41c7169c4128a07a2701861297bd013518202560806c4988b29bf1c16e06795385dc3fab4b05539f6fade1fdfa12b70984fd0e3dec21158c3c91764a

C:\Program Files (x86)\System\rms.sfx.exe

MD5 60ef589e653412de1a47d55c666acc96
SHA1 f75f5d11a23ebe5e1a310f5c0a71181bd4ba1c92
SHA256 79a7d13e12ce4716b22e8d7f4507de56c0cc4c0f35159a2af2a84147859c7220
SHA512 15b4563f41c7169c4128a07a2701861297bd013518202560806c4988b29bf1c16e06795385dc3fab4b05539f6fade1fdfa12b70984fd0e3dec21158c3c91764a

memory/524-59-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rms.sfx.exe

MD5 60ef589e653412de1a47d55c666acc96
SHA1 f75f5d11a23ebe5e1a310f5c0a71181bd4ba1c92
SHA256 79a7d13e12ce4716b22e8d7f4507de56c0cc4c0f35159a2af2a84147859c7220
SHA512 15b4563f41c7169c4128a07a2701861297bd013518202560806c4988b29bf1c16e06795385dc3fab4b05539f6fade1fdfa12b70984fd0e3dec21158c3c91764a

memory/1252-62-0x0000000000000000-mapping.dmp

C:\rms.exe

MD5 f89f29bd0d5239e0a979d888c9520a00
SHA1 7fbfff8ba4ea727eaa488a1f408a3ec53ca34177
SHA256 6d9ef65547cd4bbbf97c6f97aff6b54e8faf17cae2c6dcaf40b669c16a95ef6b
SHA512 88b64e5c80b10194f1ae1ea018cabcb2de72d880bdedfe60311c9c0965952224dcf71f930e2d3901c2b3d0398a5f23e21b125e30d0da80f056867c6eb6af6cc4

C:\rms.exe

MD5 f89f29bd0d5239e0a979d888c9520a00
SHA1 7fbfff8ba4ea727eaa488a1f408a3ec53ca34177
SHA256 6d9ef65547cd4bbbf97c6f97aff6b54e8faf17cae2c6dcaf40b669c16a95ef6b
SHA512 88b64e5c80b10194f1ae1ea018cabcb2de72d880bdedfe60311c9c0965952224dcf71f930e2d3901c2b3d0398a5f23e21b125e30d0da80f056867c6eb6af6cc4

memory/1376-66-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 c719a030434d3fa96d62868f27e904a6
SHA1 f2f750a752dd1fda8915a47b082af7cf2d3e3655
SHA256 2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f
SHA512 47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

C:\Program Files (x86)\System\install.bat

MD5 e34566750cd2942f817fc969f53852aa
SHA1 4b103dd2265d20f21f9edff4f04dbce6c50ead67
SHA256 a874138e3bae5d14dc13b3b4886bcc241b6a825de7c4af572523b5fadc1294f4
SHA512 8e62215233b82182bc323921bfdb203457ebfd574631467d616e630f80f59e706de3a87b7980a5b8d33c487d3a9f473f8bc0f27623c5aa659f2edd41619ba8dc

memory/1632-70-0x0000000000000000-mapping.dmp

memory/1364-72-0x0000000000000000-mapping.dmp

memory/1844-74-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\mailsend.exe

MD5 ac23b87f8ec60ddd3f555556f89a6af8
SHA1 3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA256 80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA512 57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\regedit.reg

MD5 251212852a073e6fc5fbe3af92f66adb
SHA1 6ee07cb20f57830325c11867e68fea49ae0e87ea
SHA256 f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb
SHA512 f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

memory/756-82-0x0000000000000000-mapping.dmp

memory/1792-84-0x0000000000000000-mapping.dmp

memory/904-86-0x0000000000000000-mapping.dmp

memory/1540-88-0x0000000000000000-mapping.dmp

memory/1720-90-0x0000000000000000-mapping.dmp

memory/1620-92-0x0000000000000000-mapping.dmp

memory/1008-94-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/872-97-0x0000000000000000-mapping.dmp

memory/872-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/872-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/872-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/872-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/872-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1756-107-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/872-105-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1756-110-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1756-111-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1756-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1756-113-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1756-114-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1508-117-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/1756-115-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1508-120-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1508-121-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1508-122-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1508-123-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1508-124-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/320-127-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/320-128-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/320-129-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/320-130-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/320-131-0x0000000000400000-0x0000000000AB9000-memory.dmp

\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2044-134-0x0000000000000000-mapping.dmp

memory/1180-135-0x0000000000000000-mapping.dmp

\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/1180-140-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-141-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1180-143-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-142-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-144-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1180-145-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-146-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1180-147-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2044-148-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1180-149-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/1508-150-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1776-151-0x0000000000000000-mapping.dmp

memory/1808-153-0x0000000000000000-mapping.dmp

memory/1296-155-0x0000000000000000-mapping.dmp

memory/1708-157-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/388-159-0x0000000000000000-mapping.dmp

memory/388-162-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/388-163-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/388-164-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/388-165-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/388-166-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/388-167-0x0000000000400000-0x00000000009B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 03:07

Reported

2022-05-20 03:12

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe"

Signatures

RMS

trojan rat rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\System\rms.sfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\rms.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_240556437 C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\start.bat C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8encoder.dll C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\mailsend.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\start.bat C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File created C:\Program Files (x86)\System\vp8encoder.dll C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\regedit.reg C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\vp8decoder.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rms.sfx.exe C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File opened for modification C:\Program Files (x86)\System C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\regedit.reg C:\rms.exe N/A
File created C:\Program Files (x86)\System\install.bat C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\install.bat C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\rms.sfx.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\vp8decoder.dll C:\rms.exe N/A
File created C:\Program Files (x86)\System\rfusclient.exe C:\rms.exe N/A
File created C:\Program Files (x86)\System\rutserv.exe C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\rutserv.exe C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\System\start.bat C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\install.vbs C:\rms.exe N/A
File created C:\Program Files (x86)\System\rms.sfx.exe C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A
File opened for modification C:\Program Files (x86)\System\rfusclient.exe C:\rms.exe N/A
File created C:\Program Files (x86)\System\mailsend.exe C:\rms.exe N/A
File opened for modification C:\Program Files (x86)\System\install.vbs C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_240549421 C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe N/A

Launches sc.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings C:\rms.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\System\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rms.sfx.exe
PID 3824 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rms.sfx.exe
PID 3824 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rms.sfx.exe
PID 3128 wrote to memory of 4604 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 3128 wrote to memory of 4604 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 3128 wrote to memory of 4604 N/A C:\Program Files (x86)\System\rms.sfx.exe C:\rms.exe
PID 4604 wrote to memory of 3728 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 4604 wrote to memory of 3728 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 4604 wrote to memory of 3728 N/A C:\rms.exe C:\Windows\SysWOW64\WScript.exe
PID 3728 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 1644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1644 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1644 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1644 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1644 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1644 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1644 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1644 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1644 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1644 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1644 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1644 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1644 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1644 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1644 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1644 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1644 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1644 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1644 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1644 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1644 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 1644 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\System\rutserv.exe
PID 3304 wrote to memory of 4600 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 3304 wrote to memory of 4600 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 3304 wrote to memory of 4600 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 3304 wrote to memory of 2736 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 3304 wrote to memory of 2736 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 3304 wrote to memory of 2736 N/A C:\Program Files (x86)\System\rutserv.exe C:\Program Files (x86)\System\rfusclient.exe
PID 1644 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1644 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1644 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1644 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1644 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1644 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1644 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe

"C:\Users\Admin\AppData\Local\Temp\fdee96f2a0bb91e93638f9f760aa8eff5a3fbcbb3f8b9ae3890f797cc58e9941.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\start.bat" "

C:\Program Files (x86)\System\rms.sfx.exe

rms.sfx.exe -psdsgsadGdsgKdKJASHDJHJhjadhkJASHDK -dc:\

C:\rms.exe

"C:\rms.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System" +H +S /S /D

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

Taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /silentinstall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /firewall

C:\Program Files (x86)\System\rutserv.exe

rutserv.exe /start

C:\Program Files (x86)\System\rutserv.exe

"C:\Program Files (x86)\System\rutserv.exe"

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe"

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Windows_Defender v6.3"

C:\Windows\SysWOW64\timeout.exe

timeout 120

C:\Program Files (x86)\System\rfusclient.exe

"C:\Program Files (x86)\System\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 20.189.173.6:443 tcp
US 67.24.179.254:80 tcp
US 67.24.179.254:80 tcp

Files

memory/3824-130-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\start.bat

MD5 697e66775761bcafab2582842175ee0f
SHA1 fa1fc9a09336bbec97aa4f8af743875cbf047b60
SHA256 33a896cb9380a6081647bcf1f4957b32d93af2024d3b386b502d6823b63006b3
SHA512 bc70bfe4e28e8a00d836f1257f1d85b5f08915bb163517fe49cab30ce9e3ad4b2302d70658636e394d7f51d145cda75c1b28934da23226c44a2bbb86b0920acf

memory/3128-132-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rms.sfx.exe

MD5 60ef589e653412de1a47d55c666acc96
SHA1 f75f5d11a23ebe5e1a310f5c0a71181bd4ba1c92
SHA256 79a7d13e12ce4716b22e8d7f4507de56c0cc4c0f35159a2af2a84147859c7220
SHA512 15b4563f41c7169c4128a07a2701861297bd013518202560806c4988b29bf1c16e06795385dc3fab4b05539f6fade1fdfa12b70984fd0e3dec21158c3c91764a

C:\Program Files (x86)\System\rms.sfx.exe

MD5 60ef589e653412de1a47d55c666acc96
SHA1 f75f5d11a23ebe5e1a310f5c0a71181bd4ba1c92
SHA256 79a7d13e12ce4716b22e8d7f4507de56c0cc4c0f35159a2af2a84147859c7220
SHA512 15b4563f41c7169c4128a07a2701861297bd013518202560806c4988b29bf1c16e06795385dc3fab4b05539f6fade1fdfa12b70984fd0e3dec21158c3c91764a

memory/4604-135-0x0000000000000000-mapping.dmp

C:\rms.exe

MD5 f89f29bd0d5239e0a979d888c9520a00
SHA1 7fbfff8ba4ea727eaa488a1f408a3ec53ca34177
SHA256 6d9ef65547cd4bbbf97c6f97aff6b54e8faf17cae2c6dcaf40b669c16a95ef6b
SHA512 88b64e5c80b10194f1ae1ea018cabcb2de72d880bdedfe60311c9c0965952224dcf71f930e2d3901c2b3d0398a5f23e21b125e30d0da80f056867c6eb6af6cc4

C:\rms.exe

MD5 f89f29bd0d5239e0a979d888c9520a00
SHA1 7fbfff8ba4ea727eaa488a1f408a3ec53ca34177
SHA256 6d9ef65547cd4bbbf97c6f97aff6b54e8faf17cae2c6dcaf40b669c16a95ef6b
SHA512 88b64e5c80b10194f1ae1ea018cabcb2de72d880bdedfe60311c9c0965952224dcf71f930e2d3901c2b3d0398a5f23e21b125e30d0da80f056867c6eb6af6cc4

memory/3728-138-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\install.vbs

MD5 c719a030434d3fa96d62868f27e904a6
SHA1 f2f750a752dd1fda8915a47b082af7cf2d3e3655
SHA256 2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f
SHA512 47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

C:\Program Files (x86)\System\install.bat

MD5 e34566750cd2942f817fc969f53852aa
SHA1 4b103dd2265d20f21f9edff4f04dbce6c50ead67
SHA256 a874138e3bae5d14dc13b3b4886bcc241b6a825de7c4af572523b5fadc1294f4
SHA512 8e62215233b82182bc323921bfdb203457ebfd574631467d616e630f80f59e706de3a87b7980a5b8d33c487d3a9f473f8bc0f27623c5aa659f2edd41619ba8dc

memory/1644-141-0x0000000000000000-mapping.dmp

memory/1880-142-0x0000000000000000-mapping.dmp

memory/868-143-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\mailsend.exe

MD5 ac23b87f8ec60ddd3f555556f89a6af8
SHA1 3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c
SHA256 80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4
SHA512 57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

C:\Program Files (x86)\System\regedit.reg

MD5 251212852a073e6fc5fbe3af92f66adb
SHA1 6ee07cb20f57830325c11867e68fea49ae0e87ea
SHA256 f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb
SHA512 f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\Program Files (x86)\System\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Program Files (x86)\System\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/5000-150-0x0000000000000000-mapping.dmp

memory/3244-151-0x0000000000000000-mapping.dmp

memory/4476-152-0x0000000000000000-mapping.dmp

memory/4900-153-0x0000000000000000-mapping.dmp

memory/5076-154-0x0000000000000000-mapping.dmp

memory/2248-155-0x0000000000000000-mapping.dmp

memory/3948-156-0x0000000000000000-mapping.dmp

memory/3552-157-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/3552-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3552-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3552-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3552-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3552-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3552-164-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4988-165-0x0000000000000000-mapping.dmp

memory/4988-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4988-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4988-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4988-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4988-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/2336-173-0x0000000000000000-mapping.dmp

memory/4988-172-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2336-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2336-176-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2336-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2336-178-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2336-179-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Program Files (x86)\System\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/3304-181-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3304-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3304-183-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3304-184-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3304-185-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4600-186-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2336-189-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2736-187-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/4716-191-0x0000000000000000-mapping.dmp

memory/4600-192-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-195-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-197-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4600-194-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-200-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4600-199-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3712-202-0x0000000000000000-mapping.dmp

memory/4600-201-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-198-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4600-196-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5100-203-0x0000000000000000-mapping.dmp

memory/2736-193-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4584-204-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\System\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

memory/2352-205-0x0000000000000000-mapping.dmp

memory/2352-207-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2352-208-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2352-209-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2352-210-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2352-211-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2352-212-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2736-213-0x0000000000400000-0x00000000009B6000-memory.dmp