rms | 981e6b7e07d549903c7c91f149b643c9a75ab98e0e0cba8f0845bef2e162ea7c

Analysis

max time kernel
141s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe
Size

6.3MB
MD5

bfb6121383e3e301ec4267ecb9cacb56
SHA1

d36b7cd218b3e88a03fa3a9c681e6f6fad3b415d
SHA256

981e6b7e07d549903c7c91f149b643c9a75ab98e0e0cba8f0845bef2e162ea7c
SHA512

845559ef9f6cbd7c03f39c60a403b0058b1cfd09e8e84581e8f5dd11501708d06139d5a949cfc9bb1d52537e3cde468ceeee8bd0dcb299c8f29b1496d1f542f3
SSDEEP

98304:MjMgl8EOJi4JhgiIVqskETxGaYequQ+vVNYENTGBxX9WVLE8zjNBumjiQcNOyfAV:MYg8EBEZSeaYeqS8UYWtzmmUJAV

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 5 IoCs

pid	Process
1744	rfusclient.exe
1848	rfusclient.exe
1592	rutserv.exe
2012	rutserv.exe
1568	rfusclient.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	rutserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Loads dropped DLL 7 IoCs

pid	Process
2044	cmd.exe
1744	rfusclient.exe
1744	rfusclient.exe
1848	rfusclient.exe
1848	rfusclient.exe
1848	rfusclient.exe
1848	rfusclient.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1592	rutserv.exe
1592	rutserv.exe
1592	rutserv.exe
1592	rutserv.exe
1592	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	rutserv.exe
Token: SeTakeOwnershipPrivilege	2012	rutserv.exe
Token: SeTcbPrivilege	2012	rutserv.exe
Token: SeTcbPrivilege	2012	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1568	rfusclient.exe
1568	rfusclient.exe
1568	rfusclient.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1568	rfusclient.exe
1568	rfusclient.exe
1568	rfusclient.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1592	rutserv.exe
1592	rutserv.exe
1592	rutserv.exe
1592	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe
2012	rutserv.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2044	1204	981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe	27
PID 1204 wrote to memory of 2044	1204	981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe	27
PID 1204 wrote to memory of 2044	1204	981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe	27
PID 1204 wrote to memory of 2044	1204	981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe	27
PID 1204 wrote to memory of 2044	1204	981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe	27
PID 1204 wrote to memory of 2044	1204	981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe	27
PID 1204 wrote to memory of 2044	1204	981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe	27
PID 2044 wrote to memory of 1744	2044	cmd.exe	29
PID 2044 wrote to memory of 1744	2044	cmd.exe	29
PID 2044 wrote to memory of 1744	2044	cmd.exe	29
PID 2044 wrote to memory of 1744	2044	cmd.exe	29
PID 1744 wrote to memory of 1848	1744	rfusclient.exe	30
PID 1744 wrote to memory of 1848	1744	rfusclient.exe	30
PID 1744 wrote to memory of 1848	1744	rfusclient.exe	30
PID 1744 wrote to memory of 1848	1744	rfusclient.exe	30
PID 1848 wrote to memory of 1592	1848	rfusclient.exe	31
PID 1848 wrote to memory of 1592	1848	rfusclient.exe	31
PID 1848 wrote to memory of 1592	1848	rfusclient.exe	31
PID 1848 wrote to memory of 1592	1848	rfusclient.exe	31
PID 2012 wrote to memory of 1568	2012	rutserv.exe	33
PID 2012 wrote to memory of 1568	2012	rutserv.exe	33
PID 2012 wrote to memory of 1568	2012	rutserv.exe	33
PID 2012 wrote to memory of 1568	2012	rutserv.exe	33

C:\Users\Admin\AppData\Local\Temp\981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe
"C:\Users\Admin\AppData\Local\Temp\981E6B7E07D549903C7C91F149B643C9A75AB98E0E0CB.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
    rfusclient.exe -deploy
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rfusclient.exe" -run_agent
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe
        
        "C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1592
      - C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe
        
        C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe -second
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rfusclient.exe
        
        C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rfusclient.exe /tray /user
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg

Filesize
49KB

MD5
e51a34c8198ba9a59e53f0503777e75b

SHA1
83d93b4a520b08efa14b55c80c5db8f85d5ca9e4

SHA256
5810c1f2453156015e43dc8844b8463eaa47be877c07834e67723815aa60c5d3

SHA512
ed8c7684eeb24afae4f8cffccb870192e5ecb918843f2530439398d5cee783cafd375f851c0334ca6f1272196af984e72e3864a388f243cd6d82449151b722bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Simplified.lg

Filesize
37KB

MD5
844e2b8e4ad580ff845402a6b3b88846

SHA1
1e76d2008eee1a896d207dd9c3c1a504dc9d06de

SHA256
4d646a6af146c05cdb4644f62605cb40196595e6ed3aabcaf92e7d081c4eebf1

SHA512
01590c09f0cb43e1ccbc27b591a06ee16485a176439512f121a1b29d1fdc8ba9eb216a26c619abdd3ca8b441d80bd23ab165cf9f36e7ade0fb57f60645ff94ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Traditional.lg

Filesize
37KB

MD5
420f3450e1dbf4ecbe48125bef79155e

SHA1
eedd628146fe8722aa8f5a9cc9a84ff86bc403ee

SHA256
ac397a585dd2e48f8ee01d2e50d4d87e138d24d6f6f7c442507feab796c3a9ed

SHA512
7b14bccb0daedf62186fafdb9224ce5c96b493950e4c7a9c6c9d330831c4e660efa77bf661a39bcb5b93014a9c3a7f28a633c4f6a1618b2a7ea551e811950857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg

Filesize
52KB

MD5
d39727c9980021059a0f2073277e039e

SHA1
a59b8f6d517741a8cf8c88cbb9bc7ddfa8879f75

SHA256
f1900d97610996e7a71c354f3899c26324e5a5493374a4d697558e4c4f669257

SHA512
f0fa8eed8f9b72775c8c574edb4299cced7e6ca71c3cc907d1914d3cd6a86987fc7b031960b8d496030ea9b2b4eaecddcf5d0f5ee6236514e0d21232680e9c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg

Filesize
52KB

MD5
ab723f51a48801456d39bb48396beada

SHA1
a721d0afa24cbfb99c97431be42113426ab6638f

SHA256
3db7b110d7df4402b0ac207d28debb735cfd476ef42c2f71bbba5108a0b96da5

SHA512
b5fe82a2d00f277bf9fd75fae659a75e7f3aeb6629c6e034c7d9ee477abcba89dc4661035310ffdebd6aa3115c79c7621bf42af43b32568d5408d229b4d285bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg

Filesize
55KB

MD5
00c905e8da73cf386c210d28e3797f6c

SHA1
512b1c68ad520bbd77733cf71e376333c509c183

SHA256
83813ca174f76a126e05f6cca58be24ce2a48a2632e9bf6bfa46a353d01111b6

SHA512
b302035bd8379ddc18be49575b92cfd0219b6847cbd2d9acb9d6faf26fc0b0774bfae11a599e52266849663c5adf3de2c217ca5214339bb5400daae5ac35363f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

Filesize
49KB

MD5
722fe688f60b4649265f5177a8c0c0ca

SHA1
9532e0de2b2d1eeacc19f15602904ae14231df6b

SHA256
2e551329bf8cb93e665c17bac916776d75091ff190b7ccff8a48fb0de0d582b5

SHA512
1248a6e94c1f75e398096f2d773822b2faf4e18438628e4874e4fc143bcf8adfc59f145de5838e1d9127795ab2de443ba6ba149e9dac3958d534356f98aa791d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

Filesize
52KB

MD5
6396e5ade56e4f45c4f59ca210385f58

SHA1
88f8778e8f960001ee558255e22418d8ea17446a

SHA256
fe57254a0c2a3593d618bea7d43074c7b637ec3021f0b51073c0d95f65bae882

SHA512
58d0b3a45249338b41affbdc81cf01fb68e1f710b1f378bcc4eae58d6e8e8402be0a06c9b4e74a4cfa1d2631ad9281921a081bf597b24f12f7ea2a4fbcd5d020

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg

Filesize
56KB

MD5
7c2276331e1e744cf702858fbb041039

SHA1
a5c7c0067a96b7e8cd11d8b3c205494147a2da4e

SHA256
0b05f6ada359e0c3295d32087874bf2888e60400fe3a9ec4d54a849031bfe915

SHA512
e3fe3aafeaa6f295c53b2317aec8581a61260cc76072d814b913084b740397c3d77df4a63acc677f95aa6d40ff70fb52041432f903a128d5b54184c085d7a16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg

Filesize
54KB

MD5
42b83b0d09167cb42582b5f830b44ebb

SHA1
a9d5d467643aca034a983ebbb595d2fedd19062a

SHA256
56b73a451ecc9d3f99892b397ef1b5006b6f9296765d01fbdc7fc3d979400bbd

SHA512
2ef138d4e45554d594abbce7a2987fb17eeac63c607815120d4a415b7c3e3280a84b4068429d7743523c4366da0b5aec73c8152ec30185b3b18f14e39a22a781

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg

Filesize
46KB

MD5
516352f3ff5dc96d8cfbd6abf069aabd

SHA1
b52524bec89b956fba232d7a72205e63e029d5d0

SHA256
6387f12ff599445016b7f5b191170f077fe50c8b986a7d9650abfb7ccb6377f5

SHA512
c42e0901731774a15a65c047d8b05551d789e130ac17b53e899bb88f9d6a6448050eaa45b47a2a4cabc333cd36a863cfc5722cb76aebe04c73d9617117f0361c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg

Filesize
54KB

MD5
dfcc06cd5e145a631806c1d011ad0fba

SHA1
d53236889246db20ad22f4811d24c7257c9b635d

SHA256
9848f250729fe0a81118aa027592ad0ef98d8428e808fa7bafa0903a93c4d94b

SHA512
35767772186b91f502698ce0fb7a25db3d9718fa0faa58f3f67fe711f841f95e14e89cb6bbbc476a29e568a93d670b205b616e07508c12f800d0e20cd3831e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg

Filesize
42KB

MD5
58319662af8f62390737c9df99f23dba

SHA1
19d0549605e76343555a3486aac9b072fe47e878

SHA256
4df73b25972b4388f2ffe70b88d4cfc739aed58dc0a72163b96cd407eb8d4388

SHA512
97fefa76088474a208e777026d6c4022d8490fe6773b8ca5fe07eaa3ac732a69bdc589c6d4f34cd6d4a41ba73f628fe8160205d4695559f81e6fa19a02a6cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg

Filesize
40KB

MD5
dc4e41d98050548860bf92ca11345962

SHA1
259fc2aa4622e202799bbb5d352e57da47a6988f

SHA256
87ada3f861a2b04e39f633218b791cc9e08200dafe96b85538c2ce402fe1f0db

SHA512
7f7d18668248c5a3b5b7aacb5616c6dc0e562b8467a9a27ddd021690456b685af3c8dfc0b1fec746ccd799b5a9f41b0968628864087d1b3dbce79b52c49382b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg

Filesize
51KB

MD5
3cdf55746e6889e8fff300e54a287bcc

SHA1
57c38147c92b86f7bceeb4dbd9ad1d720410b07d

SHA256
d3014f26e0b5bd84f694c8ad18f0de48ce3cbcbaa2f649070f161c64702cae3d

SHA512
df2fe1b2f16238c1de4b3982ed31cca71490eba41fe9588864b3a58f0f5ee8bf6ef28a63528e7bf06524780d19812e8cd3991472a82ed5559a6a32146c04830a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg

Filesize
53KB

MD5
da9d399b473ccff29e6e8f9a5723cbfb

SHA1
d878b4206aaf64384162e96673845e913db34c69

SHA256
b885b4e1e7bea7c202c71313a60774143dd7cc18d1a0ec8412b47d53016ea3f3

SHA512
893122ce6550dddd793668ea7ff68764ca7676de34d8385df42f09eee50e0ce09670e6aca1245331fb18589207b3870b5564896e4d65eedc229648d985314dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese, Brazilian.lg

Filesize
54KB

MD5
119f5f60b0d87bd3a9e34eefe510cead

SHA1
07835dce1a48d571d1e8a5a4ff1f47f44bac3992

SHA256
b9793f0ede71f259dc242c926cdc8f70fdb241a8a0f22c7206fb51b7e0a43002

SHA512
5596ab114a4bc5edf98db65e95e2daa367a43034793b07877e3533e98822721ee3293a00760c2367fd3088df681fa0397e1a263efac1fd6850a1e26670cd0678

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese.lg

Filesize
54KB

MD5
18e6affb3bee46aeaf86efb1977f358b

SHA1
0df0b1fb0e3e59bc2f52d2a2bdadd29bf0adebc7

SHA256
c6e7b98ea6fd6bd60d26c46ba6432000cf4c47c5ba137fb63e905cfc2b3d36ba

SHA512
fb6428024e22b48c0a66f556973fb434a9a33593942541c1a42d175d0335a83152d8247f875138be014c5f9c98167003498717029eb36780cd7a374a3f59e6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

Filesize
151KB

MD5
435d9e1fd4b87308f0f91da25530d4ec

SHA1
a9b0c513b930f4c2ef86cb75a8de1fe16eb6d996

SHA256
05040b677d7697b4f97da173c6c07146d3bde327833fd2022bf2cb67f90389ca

SHA512
9a84f8e75c855ca4d3892591e4d2ed4d37368d8ed8c28fd48093534a8283c21a483ab50d930adc10d8dda5fb25338dd247004fdf08dd9f60cf038a0b61fba33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

Filesize
967KB

MD5
534d6f176f6cbc725f9e7db8028cd3f7

SHA1
35b53f2e344f4a908a551409d018a91dc58100d5

SHA256
e713f288a46aad762f76c945467bb3ea7c84edfc56cec1c4c1b40d9f919bdcc0

SHA512
1fc1bd8d094d458541596322588750ecc66a2b3f809b0361a5c104adf72972c4bf2f08e4b58f347e56afd4e8019942ba0ba3346a85169958de1cedfde5a15849

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg

Filesize
54KB

MD5
542fb52c74f0f92c5cbe734cf75145b5

SHA1
6bca28849913bf4f61b3d48791737a00f9718ee7

SHA256
c157ce11631f26462c764bab24b0700f019a2213b36a92002d886d156afa7b03

SHA512
ece3518e30d4ddc210afe82751f4b011d2d67fc8130f619656590c45710e3ac11674026445a33e880d13f60a6156c79923badff8d5f68d119d68ab2728dd7c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg

Filesize
52KB

MD5
6b46297240dfc309a99b133e94c916c3

SHA1
ce4f36af4cbf6ebd15cf6e0e6dc8b72e61872027

SHA256
88f45f3cc9999a1e35967cd7f33d2d15c0c31b13336fbf93e754e1af8903d9c1

SHA512
6f808e7627d4d2ac06ec07f55ca72277c12a80e14fadd2822174349ebd0d5398dfcd73c301a4427a64db59b283f3d04a74be72f96e613db1540aeb9859af338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg

Filesize
54KB

MD5
8a4b15f09ab2301fdbf99acd5274bf88

SHA1
88bee09f9690dce0f323909d53525f60e076e854

SHA256
00d3aa64e2afe9b92f2d13255a86eee0f289d9d257229289de0e2020626f0508

SHA512
f2066e60c588b698f3d2d79d19a25b76354c4857df1eda51d60d1371c5a32a87211a8927c0817ef1e2a8ca1d50230516a4521be6e0b40c7c301d93d894548e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

Filesize
328B

MD5
3c9238a9ce9060f2a4e88abfb89328c2

SHA1
15b058c015880be4f8c71c0b9676ad2ad8d23175

SHA256
96ae9fae9a94d95ae8a4b02bb8f59b6d9a35acd66c56867863b5168475eebf20

SHA512
371cf0f6447e0ccd9eeddf0cb572c70393a5d2e38d20e432e12911720f5db8e10b9e2415a77817d0aae82cc06b21388684e278b83cc4531b5c39ce1116adc4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

Filesize
86B

MD5
90b15937ff9ec75f7016e171bd1261ce

SHA1
3fa80c58e8bf6c3ab356047cfaa14187328c3732

SHA256
eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a

SHA512
993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
25B

MD5
9b7ac054975f8f7b6fe9a41a18e2d6e7

SHA1
d820008d3732f37a7e4030c4bd414e3764de1af7

SHA256
815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255

SHA512
806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

Filesize
157KB

MD5
3565f1041216b04c947cb9328e38483b

SHA1
a8502b3dc814ba61c1874c8643fd508d2a3d9155

SHA256
8afbb63e2e61fe9b351dc88db53856653b37d0c7fbf5f01cf098fd5959635252

SHA512
4eb5c1e5910e7e42297f3ae9c667b52c9ce8f2a083236bf60de075aca4e6a3508d72a28919a8ae27adbb7c399fa4c25ce375ab056033182111d1c45187527686

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
848a53dc549be0386e5da0f49700c389

SHA1
e918192d2b5c565a9b2756a1d01070c6608f361c

SHA256
faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976

SHA512
fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
848a53dc549be0386e5da0f49700c389

SHA1
e918192d2b5c565a9b2756a1d01070c6608f361c

SHA256
faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976

SHA512
fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

Filesize
9.5MB

MD5
3c5850ef227bb206e507551c471ee8df

SHA1
8943aab98043f28918a0c8d31d7a0076b5bffb1c

SHA256
a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445

SHA512
aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

Filesize
4KB

MD5
a40c081a8aaac6ba520a17ee75cd782d

SHA1
337cf3a0a2cbcb8d6b1c5bec932baf004b4b3c48

SHA256
90c62d6e470b77c87758bf851a5cdcf3b3da337c4178892da4b36ef7bc1ff0a4

SHA512
849baf81acf8e54ebf62b6e2ed9c9218171291796ef011aa8b07b49416f4892e19ec9409a8118e60341f6e8d7dc5c6818bd9c2d01cabf9b310bc669984ae9852

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

Filesize
381KB

MD5
381f1b7d8f7da904827980dae02f77a9

SHA1
81d4d5724533b26391301be2b462f580395d5485

SHA256
f14dab0b9f18aced330729b4a772e6b139817be01783b97b92e9af5fc26615d2

SHA512
44a5eee558c727c9c07301dc0190a00807d1749f83c57f76c4f8cdde4bbdf4b44bb1086cc2fcb7aff0a73949ae7aaa17d33d9cd3b0a70c4f51b724812e1bd6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

Filesize
1.6MB

MD5
3e6c2703e1c8b6b2b3512aff48099462

SHA1
b17a7f9cce16540b1f0e3dceae9dc7e8e855cb1b

SHA256
616a0047b5f28a071fc26dd9b0fd90d5110c77a3635565cebc24b6362d8c9844

SHA512
70d0c5cb8542ca0600d38aee9030ea3dd9b0951a7d96ac1b8f1af9e71c5357c33f433913ef9d2e3254a9ac95e5678764ab22184fbcec998a9bbb8d75731c9dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

Filesize
261KB

MD5
026d12b240e081794c730c1ed24a6f33

SHA1
bb6c0544ecc2c8db68b23b8e4feab5b3261b4666

SHA256
d639adb51c6e3ee8c249d11eb8db606ba2aa37d4f12f80f2b9685d8f560984bf

SHA512
5b88ee5c7cee966867eec31ad468aa19353a2a2b1a84995ac1bedeaf5e60b1b015f73fcd35644c4365cf8f1981b3de057483838b7deaad5599f9c2a24f60d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

Filesize
366KB

MD5
2943b9910b1c7cc04024888502885256

SHA1
e2ac697a558fa85ff4c9e2bb114138870a80f146

SHA256
78115050f4e99372fc10b19a14af60e623ddfda224c8e96340cb5d8166507e2b

SHA512
8d9d0d60622b958ab0f7c1f1d050fb53ba11cf19aa513fde9f7b7772fb6949b3e50907ed519fdc89e2bdf0ffb33ff084094af56abd3f9d1d2faef9d27990fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

Filesize
861KB

MD5
74a8ebf5d8e08e284d734fe5feebd67d

SHA1
87fb627c6e63eb41e26f389b38d525ccf0c11590

SHA256
1a9632b9e061b56017d2eb8d15c20e60a9518b4de5faa0399eaba0a17c10045d

SHA512
230f84f3fdb335a6044e6a83154de27e853b66ce6b8963b5f1991c462d69cc702a5cf7ee20717ec9f6e688398579fe18102a48f418b74333f476255b1cdbf8b9

Download Submit
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rfusclient.exe

Filesize
5.5MB

MD5
848a53dc549be0386e5da0f49700c389

SHA1
e918192d2b5c565a9b2756a1d01070c6608f361c

SHA256
faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976

SHA512
fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Download Submit
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rfusclient.exe

Filesize
5.5MB

MD5
848a53dc549be0386e5da0f49700c389

SHA1
e918192d2b5c565a9b2756a1d01070c6608f361c

SHA256
faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976

SHA512
fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Download Submit
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rfusclient.exe

Filesize
5.5MB

MD5
848a53dc549be0386e5da0f49700c389

SHA1
e918192d2b5c565a9b2756a1d01070c6608f361c

SHA256
faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976

SHA512
fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Download Submit
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe

Filesize
9.5MB

MD5
3c5850ef227bb206e507551c471ee8df

SHA1
8943aab98043f28918a0c8d31d7a0076b5bffb1c

SHA256
a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445

SHA512
aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

Download Submit
C:\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe

Filesize
9.5MB

MD5
3c5850ef227bb206e507551c471ee8df

SHA1
8943aab98043f28918a0c8d31d7a0076b5bffb1c

SHA256
a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445

SHA512
aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
848a53dc549be0386e5da0f49700c389

SHA1
e918192d2b5c565a9b2756a1d01070c6608f361c

SHA256
faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976

SHA512
fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
848a53dc549be0386e5da0f49700c389

SHA1
e918192d2b5c565a9b2756a1d01070c6608f361c

SHA256
faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976

SHA512
fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Download Submit
\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rfusclient.exe

Filesize
5.5MB

MD5
848a53dc549be0386e5da0f49700c389

SHA1
e918192d2b5c565a9b2756a1d01070c6608f361c

SHA256
faf0c5e4ef7dbcfd863377c55a4d1d87a3f6a58c13a8a9882e11012066f31976

SHA512
fa3ec7f48ec441c1e68ca74d3b8436838b5a4fd5f767fb655d5ba19e82d5a7cc5d9706ae5e3eb53334ff1dc03ce589fcebcf4bdcb7cc27f69bfa6e3eb24f9633

Download Submit
\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe

Filesize
9.5MB

MD5
3c5850ef227bb206e507551c471ee8df

SHA1
8943aab98043f28918a0c8d31d7a0076b5bffb1c

SHA256
a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445

SHA512
aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

Download Submit
\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe

Filesize
9.5MB

MD5
3c5850ef227bb206e507551c471ee8df

SHA1
8943aab98043f28918a0c8d31d7a0076b5bffb1c

SHA256
a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445

SHA512
aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

Download Submit
\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe

Filesize
9.5MB

MD5
3c5850ef227bb206e507551c471ee8df

SHA1
8943aab98043f28918a0c8d31d7a0076b5bffb1c

SHA256
a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445

SHA512
aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

Download Submit
\Users\Admin\AppData\Roaming\RUT-Agent\68001\D9A6B08D6A\rutserv.exe

Filesize
9.5MB

MD5
3c5850ef227bb206e507551c471ee8df

SHA1
8943aab98043f28918a0c8d31d7a0076b5bffb1c

SHA256
a803bd4522ec8804adf5e548b2ffc9e3afa7eee179d96945de1a5980b5616445

SHA512
aa94ace9f008eeff257505239a7a04eada728461e7d732e227815c880b6ec758b63b2dc576af425489b661d5de23d002ff14121c8e0165fae9fd127404eb2f1a

Download Submit
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1568-110-0x0000000000000000-mapping.dmp

Download
memory/1592-104-0x0000000000000000-mapping.dmp

Download
memory/1744-59-0x0000000000000000-mapping.dmp

Download
memory/1848-97-0x0000000000000000-mapping.dmp

Download
memory/2044-55-0x0000000000000000-mapping.dmp

Download