rms | 94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f

Analysis

max time kernel
299s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-06-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f.exe
Size

16.4MB
MD5

54a57c4a0b4891ad3ea90bdf833beed7
SHA1

7c9bf87daa9c7f894dcfdaa19e75808938db9f51
SHA256

94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f
SHA512

1750105257b095c3c97d2a45a9eede594caebdce4f5c7791c008b782067844ae9519deed0bd5358f87bf9a3d3fa06c543a23a81c9a63bf456e4357546f9b3d18

Score

10^/10

rms rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4336 created 676	4336	svchost.exe	80

Executes dropped EXE 4 IoCs

pid	Process
888	rfusclient.exe
676	rutserv.exe
1324	rutserv.exe
2196	rfusclient.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3940-130-0x0000000000400000-0x000000000282D000-memory.dmp	upx
behavioral2/memory/3940-134-0x0000000000400000-0x000000000282D000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	rutserv.exe

Loads dropped DLL 4 IoCs

pid	Process
676	rutserv.exe
676	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_09E960F015FF4A8F16C13B5E9BAAA43F	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_09E960F015FF4A8F16C13B5E9BAAA43F	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
888	rfusclient.exe
888	rfusclient.exe
676	rutserv.exe
676	rutserv.exe
676	rutserv.exe
676	rutserv.exe
676	rutserv.exe
676	rutserv.exe
676	rutserv.exe
676	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
2196	rfusclient.exe
2196	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	676	rutserv.exe
Token: SeTcbPrivilege	4336	svchost.exe
Token: SeTcbPrivilege	4336	svchost.exe
Token: SeTakeOwnershipPrivilege	1324	rutserv.exe
Token: SeTcbPrivilege	1324	rutserv.exe
Token: SeTcbPrivilege	1324	rutserv.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2196	rfusclient.exe
2196	rfusclient.exe
2196	rfusclient.exe
2196	rfusclient.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2196	rfusclient.exe
2196	rfusclient.exe
2196	rfusclient.exe
2196	rfusclient.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
676	rutserv.exe
676	rutserv.exe
676	rutserv.exe
676	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 888	3940	94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f.exe	79
PID 3940 wrote to memory of 888	3940	94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f.exe	79
PID 3940 wrote to memory of 888	3940	94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f.exe	79
PID 888 wrote to memory of 676	888	rfusclient.exe	80
PID 888 wrote to memory of 676	888	rfusclient.exe	80
PID 888 wrote to memory of 676	888	rfusclient.exe	80
PID 4336 wrote to memory of 1324	4336	svchost.exe	85
PID 4336 wrote to memory of 1324	4336	svchost.exe	85
PID 4336 wrote to memory of 1324	4336	svchost.exe	85
PID 1324 wrote to memory of 2196	1324	rutserv.exe	88
PID 1324 wrote to memory of 2196	1324	rutserv.exe	88
PID 1324 wrote to memory of 2196	1324	rutserv.exe	88

C:\Users\Admin\AppData\Local\Temp\94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f.exe
"C:\Users\Admin\AppData\Local\Temp\94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rfusclient.exe
  "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rfusclient.exe" -run_agent
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rutserv.exe
    "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rutserv.exe" -run_agent
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:676
  - - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rutserv.exe" -run_agent -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rfusclient.exe
        
        "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rfusclient.exe" /tray /user
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\branding.ini

Filesize
674B

MD5
54e5a8d26aaad70d18f61bf532129d8b

SHA1
a81a63d06570dcea8820dc5e028ac0b18c31d151

SHA256
dedb9c33b36b950dcd2e4492301e48491136e95e19d058b8458752f019befd0a

SHA512
090b50bb609712e89298bc96c74f0f0a708475e8554b855440dca3e0837888ecb75a9310be9fbe3ca73829293c6021f67ea9f7a5fc552c0a840b36e596be1e02

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\eventmsg.dll

Filesize
51KB

MD5
ca8a4346b37cdd0220792885c5937b30

SHA1
eef05f4b7fb5f8aabfb93d10a6451cc77b489864

SHA256
ccd5b9e5947f956e880bd2285a6091dc9f1ee9b0eb8df627ec4e72b451a1c745

SHA512
c286b0fa9d24a85fe63d3a3d801f135d12409736742c4fc16ba1dc15529df136577dc8975736146437dd56467576fdedb4ac50cf05ab054547504f3dc5ca0c35

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\libeay32.dll

Filesize
1.3MB

MD5
0d51927274281007657c7f3e0df7becb

SHA1
6de3746d9d0980f5715cec6c676a8eb53b5efc49

SHA256
dfc847405be60c29e86e3e3222e7f63c1ff584727d87d3c35c25c4893e19fda0

SHA512
eef74088a94635184192d82bb6dcc0758749cb290c8deeff211881e8a280aec73a53334eff8846df618204b0f318e757eab23e76951a472ba6e086905000d9a5

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\logo.png

Filesize
11KB

MD5
8c65c32c734d988de2d3d690e9a208fa

SHA1
c12426d7a7d3387565c894224819c70b5991d3cc

SHA256
900f787d7bcc774df9df32d65a04494faa6e30c9647d81657c946f3e19f4ecdf

SHA512
000dee71d9c9b0e721a6a9f6a19e32dcc4b0c2ce5b4d6479a1ae36d4194319092573befe6b28552d9b5279430322e71582e9e2edcabde715e389b1860c1645a0

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rfusclient.exe

Filesize
11.2MB

MD5
43cc976800c506662c325478eb8bf9ea

SHA1
6d18795469c3a0ac6e4b8bb0024fffba51c45c60

SHA256
41ea3c0b8421ebdea1eb6a508a38e120b1fbb38b9a2e1379deabc5a167a87408

SHA512
396a97698a815316b1bd1b927f089c1d4934ea9fb8b31be72941e46030059978f98866cc19c5daf36722d5a768af007434c875de53b3f3ab9497b6a2bcd9dd54

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rfusclient.exe

Filesize
11.2MB

MD5
43cc976800c506662c325478eb8bf9ea

SHA1
6d18795469c3a0ac6e4b8bb0024fffba51c45c60

SHA256
41ea3c0b8421ebdea1eb6a508a38e120b1fbb38b9a2e1379deabc5a167a87408

SHA512
396a97698a815316b1bd1b927f089c1d4934ea9fb8b31be72941e46030059978f98866cc19c5daf36722d5a768af007434c875de53b3f3ab9497b6a2bcd9dd54

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rfusclient.exe

Filesize
11.2MB

MD5
43cc976800c506662c325478eb8bf9ea

SHA1
6d18795469c3a0ac6e4b8bb0024fffba51c45c60

SHA256
41ea3c0b8421ebdea1eb6a508a38e120b1fbb38b9a2e1379deabc5a167a87408

SHA512
396a97698a815316b1bd1b927f089c1d4934ea9fb8b31be72941e46030059978f98866cc19c5daf36722d5a768af007434c875de53b3f3ab9497b6a2bcd9dd54

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rutserv.exe

Filesize
18.0MB

MD5
6c6ba57be4b7b2fb661a99fea872f6b8

SHA1
aa95f1662a80e2c31fc24e60a9168b6df93c42e7

SHA256
ce5ba1e5d70d95d52b89a1b8278ff8dd4d1e25c38c90ca202b43bdc014795d78

SHA512
15d89d9b89bf585acef483212c3e0cd37ee5c680e03d5e4e9f6ae73e058e5ece0ff6e52df36f695a2aed20c5115e1b1ab6eb6afa580e7349d4871ad4c079c37f

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rutserv.exe

Filesize
18.0MB

MD5
6c6ba57be4b7b2fb661a99fea872f6b8

SHA1
aa95f1662a80e2c31fc24e60a9168b6df93c42e7

SHA256
ce5ba1e5d70d95d52b89a1b8278ff8dd4d1e25c38c90ca202b43bdc014795d78

SHA512
15d89d9b89bf585acef483212c3e0cd37ee5c680e03d5e4e9f6ae73e058e5ece0ff6e52df36f695a2aed20c5115e1b1ab6eb6afa580e7349d4871ad4c079c37f

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\rutserv.exe

Filesize
18.0MB

MD5
6c6ba57be4b7b2fb661a99fea872f6b8

SHA1
aa95f1662a80e2c31fc24e60a9168b6df93c42e7

SHA256
ce5ba1e5d70d95d52b89a1b8278ff8dd4d1e25c38c90ca202b43bdc014795d78

SHA512
15d89d9b89bf585acef483212c3e0cd37ee5c680e03d5e4e9f6ae73e058e5ece0ff6e52df36f695a2aed20c5115e1b1ab6eb6afa580e7349d4871ad4c079c37f

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\settings.dat

Filesize
11KB

MD5
f4852a3bdf6147b8b0dcbcf3baec90a8

SHA1
0b8d32a627bd52b0f84cc043d220c4261aec5ad0

SHA256
a702e2b289f0b1af87c0d4f4af07aa8acbe06b2d5b5d28aee7cd587ef423046e

SHA512
a7eecf297b6d868ad7dfc6bd4929f8b7ffcda44ebbee81f9acd92e8c39f65b25fd7be744f6ade73017c86d4d4c6098f11f364d70fb6a5d605ba57ce8d19af75e

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\ssleay32.dll

Filesize
337KB

MD5
197da919e4c91125656bf905877c9b5a

SHA1
9574ec3e87bb0f7acce72d4d59d176296741aa83

SHA256
303c78aba3b776472c245f17020f9aa5a53f09a6f6c1e4f34b8e18e33906b5ee

SHA512
33c1b853181f83cab2f57f47fb7e093badf83963613e7328ebd23f0d62f59416d7a93063c6237435fbb6833a69bc44ebbc13aa585da010f491c680b2ea335c47

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\vp8decoder.dll

Filesize
380KB

MD5
41acd8b6d9d80a61f2f686850e3d676a

SHA1
38428a08915cf72dd2eca25b3d87613d9aa027dd

SHA256
36993fc3312ce757c8adeca3e5969e1fcc11d5b51b12c458ba8d54d73b64d4e7

SHA512
d174638965ec781cbcb2927ceafb295c3176dc78da8938467faca3e512a42fe71a9dc1070f23e1c95f0b7c157fff3b00a8b572c39e4670713564f1310360ed23

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\vp8encoder.dll

Filesize
1.6MB

MD5
2ac39d6990170ca37a735f2f15f970e8

SHA1
8148a9cdc6b3fe6492281ebad79636433a6064ab

SHA256
0961d83cb25e1a50d5c0ec2f9fb0d17f2504dae0b22a865f6e1ea8e987e1c6fa

SHA512
7e30fde909d5f8efd6c2e40e125525697267273163ac35cf53561a2bd32e5dad8e4fba32905f53e422c9c73b8ad9a0c151f8d36042c5f156b50bf42dc21a9cee

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\webmmux.dll

Filesize
260KB

MD5
8a683f90a78778fba037565588a6f752

SHA1
011939c1fa7b73272db340c32386a13e140adc6a

SHA256
bd520007864b44e0bda7a466384d12c3c3f328326cf3549ba1853a58ccdbc99d

SHA512
9280fbb121f8b94f57560d1be3bcfe5e7c308d54dac278f13ea6c00256444fb9f17f543dd0d32c9844460818c1a50d83b26ce51c79698e9ca7a304652a3f5ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\webmvorbisdecoder.dll

Filesize
365KB

MD5
c9d412c1d30abb9d61151a10371f4140

SHA1
87120faa6b859f5e23f7344f9547b2fc228af15b

SHA256
f3465ce8a23db5e8228eed5a60a6f7a096d1a9adf3012c39bc6d81d4e57e8e9e

SHA512
1c020afa89cdae55f4dcb80a455dc1b352f40455142f3947ed29c3e3d51fbd465b6e0ea16cd103186c252783a3f2a7f7c417e4df5727d9b2db511b650308face

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70020\FE96E5193D\webmvorbisencoder.dll

Filesize
860KB

MD5
a59f69797c42324540e26c7c7998c18c

SHA1
7f7bc5bc62a8744f87a7d2e30cc6dd74c72e19b4

SHA256
83e1c1eb55bfd0f2d85d41c1e4dee65046b064ccb263ec7f412a5f329c75cfd1

SHA512
837f244e6b70658974506ac35bd3ee2d413b89fe4b26e75f4a61cc7bec63e999c9c2cffb690ad567f74962bab13f2f5471300cd0e0cfe61bb1084072cb55c38b

Download Submit
memory/3940-130-0x0000000000400000-0x000000000282D000-memory.dmp

Filesize
36.2MB

Download
memory/3940-134-0x0000000000400000-0x000000000282D000-memory.dmp

Filesize
36.2MB

Download