rurat | 20ab498b278b14f3786f634778a04d219c74e9fd8517b98f4aca313c9934b7f2

Resubmissions

19-02-2024 13:09

240219-qd2rpsdh42 10

19-02-2024 12:34

240219-pr4b1sdb8w 10

22-01-2024 20:46

240122-zkqsfsdgf8 10

22-01-2024 16:08

240122-tk9bxaadck 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Електронний план евакуації.exe
Size

20.1MB
MD5

9b40a1519801020305e31e553a3e82ab
SHA1

cdb31b4af42b3fb27527839ecf26d1c26f2a5d06
SHA256

5158482849c818c270f302c1dfa06d770ed2b5056cf393d60fd56817636866da
SHA512

57fb1869dee12253b97d787e26398ee2cd00c8bea8feaa737ffe0c61f5cad342a956cc0357cfb3551d31425df5cf857db560b3b97d16e57d5a8596d45f42bca9
SSDEEP

393216:zTrD0wz5HtKIdVtvz75Un+2PJ3L6LBQ45TDmZmLCAJ+JuuPUg9ScrRl:TgwdHUyVtvz75Un+uhs5TWmODgyaA

Score

10^/10

rurat backdoor trojan

Malware Config

Signatures

RuRAT
RuRAT is a remote admin tool sold as legitimate software but regularly abused in malicious phishing campaigns.
trojan backdoor rurat

RURAT CERTIFICATE 23 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	RURat_certificate
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	RURat_certificate

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Електронний план евакуації.exerfusclient.exerfusclient.exerfusclient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	Електронний план евакуації.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 9 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exerutserv.exe

pid	process
1140	rfusclient.exe
4216	rutserv.exe
2740	rutserv.exe
4300	rutserv.exe
4708	rutserv.exe
5044	rfusclient.exe
4524	rfusclient.exe
1328	rfusclient.exe
3128	rutserv.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
4888	MsiExec.exe
4216	rutserv.exe
4216	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
3128	rutserv.exe
3128	rutserv.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

12 4360 msiexec.exe

flow	pid	process
12	4360	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 8 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3EC49180A59F0C351C30F112AD97CFA5_ED80F76A55EEDF047A88FD3F37D62FA3	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3EC49180A59F0C351C30F112AD97CFA5_ED80F76A55EEDF047A88FD3F37D62FA3	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_C5856A5EB1E3B74AE8014850A678CDBF	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_C5856A5EB1E3B74AE8014850A678CDBF	rutserv.exe

Drops file in Program Files directory 55 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\properties.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\pdfout.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\MessageBox.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\vpd_sdk.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrv_rupd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrv_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\progressbar.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrvui_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\emf2pdf.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrv_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrvui_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\vpdisp.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrv_rupd.hlp	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_settings_E3BFC76BE38F4CF79D2ED7163B7DECEE.exe	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_start_85DB64512C79429FA70AC6C0611579DD.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_stop_B603677802D142C98E7A415B72132E14.exe	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_settings_E3BFC76BE38F4CF79D2ED7163B7DECEE.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E5C.tmp	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_start_85DB64512C79429FA70AC6C0611579DD.exe	msiexec.exe
File created	C:\Windows\Installer\e575b30.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FD4.tmp	msiexec.exe
File created	C:\Windows\Installer\e575b34.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_stop_B603677802D142C98E7A415B72132E14.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e575b30.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\ARPPRODUCTICON.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 48 IoCs

Processes:

rutserv.exemsiexec.exerutserv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\ADD21FF3AD83F6644B3E7657CAFE5583	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\Version = "117571586"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\ProductName = "Remote Utilities - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\AuthorizedLUAApp = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ADD21FF3AD83F6644B3E7657CAFE5583	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ADD21FF3AD83F6644B3E7657CAFE5583\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\ProductIcon = "C:\\Windows\\Installer\\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\PackageName = "install.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\PackageCode = "18BC6BFBD2A8CF147A73C58FBE730039"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Media\1 = "DISK1;1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exerutserv.exe

pid	process
1140	rfusclient.exe
1140	rfusclient.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
5044	rfusclient.exe
5044	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
5044	rfusclient.exe
5044	rfusclient.exe
1328	rfusclient.exe
1328	rfusclient.exe
3128	rutserv.exe
3128	rutserv.exe
3128	rutserv.exe
3128	rutserv.exe
3128	rutserv.exe
3128	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4988	msiexec.exe
Token: SeSecurityPrivilege	4360	msiexec.exe
Token: SeCreateTokenPrivilege	4988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4988	msiexec.exe
Token: SeLockMemoryPrivilege	4988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4988	msiexec.exe
Token: SeMachineAccountPrivilege	4988	msiexec.exe
Token: SeTcbPrivilege	4988	msiexec.exe
Token: SeSecurityPrivilege	4988	msiexec.exe
Token: SeTakeOwnershipPrivilege	4988	msiexec.exe
Token: SeLoadDriverPrivilege	4988	msiexec.exe
Token: SeSystemProfilePrivilege	4988	msiexec.exe
Token: SeSystemtimePrivilege	4988	msiexec.exe
Token: SeProfSingleProcessPrivilege	4988	msiexec.exe
Token: SeIncBasePriorityPrivilege	4988	msiexec.exe
Token: SeCreatePagefilePrivilege	4988	msiexec.exe
Token: SeCreatePermanentPrivilege	4988	msiexec.exe
Token: SeBackupPrivilege	4988	msiexec.exe
Token: SeRestorePrivilege	4988	msiexec.exe
Token: SeShutdownPrivilege	4988	msiexec.exe
Token: SeDebugPrivilege	4988	msiexec.exe
Token: SeAuditPrivilege	4988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4988	msiexec.exe
Token: SeChangeNotifyPrivilege	4988	msiexec.exe
Token: SeRemoteShutdownPrivilege	4988	msiexec.exe
Token: SeUndockPrivilege	4988	msiexec.exe
Token: SeSyncAgentPrivilege	4988	msiexec.exe
Token: SeEnableDelegationPrivilege	4988	msiexec.exe
Token: SeManageVolumePrivilege	4988	msiexec.exe
Token: SeImpersonatePrivilege	4988	msiexec.exe
Token: SeCreateGlobalPrivilege	4988	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

rfusclient.exe

pid	process
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

rfusclient.exe

pid	process
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe
4524	rfusclient.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
4216	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
2740	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4300	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
4708	rutserv.exe
3128	rutserv.exe
3128	rutserv.exe
3128	rutserv.exe
3128	rutserv.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

Електронний план евакуації.exemsiexec.exerutserv.exerfusclient.exe

description	pid	process	target process
PID 2840 wrote to memory of 4988	2840	Електронний план евакуації.exe	msiexec.exe
PID 2840 wrote to memory of 4988	2840	Електронний план евакуації.exe	msiexec.exe
PID 4360 wrote to memory of 4888	4360	msiexec.exe	MsiExec.exe
PID 4360 wrote to memory of 4888	4360	msiexec.exe	MsiExec.exe
PID 4360 wrote to memory of 4888	4360	msiexec.exe	MsiExec.exe
PID 4360 wrote to memory of 1140	4360	msiexec.exe	rfusclient.exe
PID 4360 wrote to memory of 1140	4360	msiexec.exe	rfusclient.exe
PID 4360 wrote to memory of 1140	4360	msiexec.exe	rfusclient.exe
PID 4360 wrote to memory of 4216	4360	msiexec.exe	rutserv.exe
PID 4360 wrote to memory of 4216	4360	msiexec.exe	rutserv.exe
PID 4360 wrote to memory of 4216	4360	msiexec.exe	rutserv.exe
PID 4360 wrote to memory of 2740	4360	msiexec.exe	rutserv.exe
PID 4360 wrote to memory of 2740	4360	msiexec.exe	rutserv.exe
PID 4360 wrote to memory of 2740	4360	msiexec.exe	rutserv.exe
PID 4360 wrote to memory of 4300	4360	msiexec.exe	rutserv.exe
PID 4360 wrote to memory of 4300	4360	msiexec.exe	rutserv.exe
PID 4360 wrote to memory of 4300	4360	msiexec.exe	rutserv.exe
PID 4708 wrote to memory of 5044	4708	rutserv.exe	rfusclient.exe
PID 4708 wrote to memory of 5044	4708	rutserv.exe	rfusclient.exe
PID 4708 wrote to memory of 5044	4708	rutserv.exe	rfusclient.exe
PID 4708 wrote to memory of 4524	4708	rutserv.exe	rfusclient.exe
PID 4708 wrote to memory of 4524	4708	rutserv.exe	rfusclient.exe
PID 4708 wrote to memory of 4524	4708	rutserv.exe	rfusclient.exe
PID 5044 wrote to memory of 1328	5044	rfusclient.exe	rfusclient.exe
PID 5044 wrote to memory of 1328	5044	rfusclient.exe	rfusclient.exe
PID 5044 wrote to memory of 1328	5044	rfusclient.exe	rfusclient.exe
PID 4708 wrote to memory of 3128	4708	rutserv.exe	rutserv.exe
PID 4708 wrote to memory of 3128	4708	rutserv.exe	rutserv.exe
PID 4708 wrote to memory of 3128	4708	rutserv.exe	rutserv.exe

C:\Users\Admin\AppData\Local\Temp\Електронний план евакуації.exe
"C:\Users\Admin\AppData\Local\Temp\Електронний план евакуації.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i install.msi /qn
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ACC839DC06316673AC5EB206B85DE500
2⤵
- Loads dropped DLL
PID:4888

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\install.msi"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4524

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1328

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575b33.rbs
Filesize
41KB

MD5
fa37e6d0ae566ac257cd42c670ced53c

SHA1
4b8578205afaa418ff3861e537512c10cb92e6a7

SHA256
f1e1b2680d7b707d78f07001a8dcd533948c8d40d3697cfc4067d29ac2b0e603

SHA512
f78598e477d8d8eead8af460968c1b4c1cdac615185d8c20db863a750037f121167926b15692e77f0cd0a9653e79163260339918563ed9d11f10622cd898065c

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll
Filesize
52KB

MD5
b2e6147f97dae696265a089f98ce8106

SHA1
418f20ec486b7a9368ceff183e7cebae9ba52101

SHA256
44917b2c260fea3a0f4691f6e986c25e31b3f9ff22dcd055526199b4d8a54051

SHA512
789dd02281b71fab54f42b92b5c0c76c0266c40100dbe532ad3ebbf968e8a9e674f0be57e2ffdb10eb4a6b4faa15a6a6a92907c020c6cd2990427d890d7f5026

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
1.3MB

MD5
b0433711581916700978618558131929

SHA1
6513c7c14f19fa37c73926fc098a9da678621e04

SHA256
26b24dcd9cb7ab8761ae7fb597704f81e2a6ede6572a247c39a969960dbba539

SHA512
a1d8bcd4b641b5e54a4435a70e19a56ecce6dc9c7d9b6fc28f7829de96d139c9cfd10f35f096529f8d33583bea8ffe1b6c2636f2710d9d01f1a7513f77db8589

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
1.2MB

MD5
e9e1ef50198cb3f7bb85a64e94183c5f

SHA1
0bfc840b9a00718c6f7bf18669ef8482432daefe

SHA256
aaf7b3a6ac573d9286046aaa5bccaf7edea6de5e015e26859f32cdb2755ac3d4

SHA512
d87c58db63fdf1a5606388926a13de208ace79d9c695a528e241df77d8077d56f2e45344714b9aa1c41c32f343647a5d9e09b005e881812962709eaa6749d1c2

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
619KB

MD5
7599566f57a04e1f823fff0b08ab4541

SHA1
c27b90c9276a6c6aa3c04a75058ecff1fb1fd766

SHA256
918db128137eaca825ecf36b1c5d2f691278b0ab2c245628699a17f3da9867e0

SHA512
c00f776127178925fe353c93f9aa54ec505e31a50415f024a6f2b07dced24e2033296fc20f8109f7ed5c92acaeb5c2fad0f51e63629d05408e8b918c6ad9af79

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
931KB

MD5
7b463c968cc03e0f16ebbd759a8414af

SHA1
fee4760079486109386be19843c0b1f60deeb17f

SHA256
5a3ffb6ec4cba5fd3e8a21ff275276ea9c6485cbbcdb66e472036d3a6ff02d58

SHA512
0510d924a3803a8bd656f723fe3e6f0f5b6517ef4bb3bdbbf553fcd97f5c01113198085713e17d2a4fa837b3792d6c7c5b3362867c6bfc2a4c3241e026d4a349

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
1.1MB

MD5
7378cc044f2321c84601111e56f7775b

SHA1
e76def47d17dee0716d3b7276b99a4f240171bfc

SHA256
c7cf896df7bc922db62afd9a63be72b5c4d4e256048b11c39fd3c345ace65216

SHA512
adf1e4dfbd5dde792685135da4e23e400076375e5535f23d0992e37c74a2adb8a4c9e889b8ad70f4c801aae933663050cea41fa7ac82d86a21e42d7f2c6a07ad

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
530KB

MD5
628455bc5436800a9f384d42a27a0b0b

SHA1
88e41c5ba6a9ae00771e135e3e9c7655048f8e5a

SHA256
538f4c93d17b2ec5bc5bfd4e8644792c186b8d0a3d7ff7dcedb18303555c5cd2

SHA512
8560790052c2332730d6f0832beab349d0b1f94cee7af8ffc4979e70dbb511cab7ad7afc60a5a833e5dd264e7cb6622de8786378fa66b6c4531997f527b2d51e

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
402KB

MD5
5971138fd1094c0893ee8edb01a9df47

SHA1
5c0d5c72997ebec2720980b99c21ba3ead3df8ff

SHA256
2c997b7d417827a232205964ae0fd7f60b17e85f76d394f33116da62222b34e0

SHA512
5914b31b246a4f704f3be7ff8c30827c32c7042a3b2281fe1ee26f61d0792dcfb39a70f6ebb76d22c3d24a5528ad8680950e93104ef00232afb4365d17ef61c3

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
1.3MB

MD5
96838f7cd3183766a1484a6689b0f061

SHA1
c5cc701764f215f44e127d609e5c452e002c4b3c

SHA256
f5ee305dbbf85531c242309e8fdbfca70daae48cdfd5391a28a36a90acaa1e03

SHA512
9096dae3e36b3ebf7e2cdfe86ea7042f65e098467dbb9306ea037903f38e14503cb662572ca7e7a6ac75f7eb7ac0ce772341d4d74e6b1d3c3be1cde4105fec3b

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
1.2MB

MD5
17a55cf4f14114dfb6e18bf6aad31dfe

SHA1
b65496ee7efd2efd053ce09404ce0614ba1a736c

SHA256
ba2118a4fec1cdb28a4ea082341e43abc5bcbbfc1e05765a5f6f133b3f755a0f

SHA512
99bd6ceac828a3edc2a0b2e0970d03b251a38a5f40ffeaa1a57d719292ddb0437f6f504457e6894717a75a40a64439421f6c9af809c3a1d4ba9a64778f805543

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
1.4MB

MD5
a734b4f390d87f3457a63d0e85e724bb

SHA1
8254a7bbf21cec521f69adcedb441aa7bba9040c

SHA256
e16a083836df4d5b5ec0a5aa3dcee826723333e18e38eeda51df9b154d510005

SHA512
223e99d2b95cb8cb6b50115851f8db5cd650ef34f1ca8959ab97ff9945e72db7a1fc3e22fa0af7c73c9cf872868fe4d8e39793d2b57958eb1336493945a8c705

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
750KB

MD5
97a85ddf02d189ea6defd74b5000abfb

SHA1
ddf27910a3a2a12bfe1e4a518f78a86f2babee52

SHA256
7880fdd23f229722908db7da886063a502d96005a1a17034fce2ab9265f6e1d0

SHA512
867bddd1af144c2a61860ec0601c3d2d0f61ee6cf1be0a190dd761adc916f7013705cfa74e4ed39ab6363c8fce2f8d9fb95eb6265d2b1e91c93dd2db58f64edd

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
1.1MB

MD5
5da4dbfe585bf63a3d8b6b1c214cd5f9

SHA1
d7d1ec2184e61641221279e25397fa3da16e84a9

SHA256
bcdbe387cbb1b0fc82a9433489605279e896760872634fb7dff5fdeb9e368e2e

SHA512
66ca4c18a82d7569d5f0132995af334b0b8f2022d57d28dcf4b97fa92b7596cc31b9487aaf881a6bf7922b2dd9abaaf3fc2169ee27902c994ce38a9abb575d61

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
1015KB

MD5
2ed4f649dbdb0b5d4c4eb41e31577938

SHA1
1ae09290526524f5a70de87af712659250d367f1

SHA256
701e5ca2ad8d2f88eaa4d1c97e918f88eeeef965049d0136c964c4e71360ee59

SHA512
e425ca1a93f0ef3e6a01fd7862d2a1006a121d74c48d26f572ec16d05982fab926c95cdea997955edf5357e7257e813b47a86fe8996933dd55b1bc9899c7c3c1

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
4.3MB

MD5
0b9c7279dcde494dc76f23f568b6245e

SHA1
b73e141e0ad3d7bda98579fcfaf5e4aa280a0fc1

SHA256
9a94a6a07596589cd72a490828923bb9439e76a12ba22a6457bfc52465120bbd

SHA512
8610c296ef4deb1473fcf2ca318ce717e1a01e0f7ba1eb7e314c5a6920da6adf8d017905460e6d5114157647098ebb7e79e8fe040321e7d64282a31f760c1a14

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
1.4MB

MD5
7e9cae3842d5803650a8540f76e13818

SHA1
b946eba94ceb53600ddfeef8770bdb305d6d62bc

SHA256
dccb29d3fc554e4295f8a7eb2b872665f08d1454b62b9eac4bfbf6015c4a57b9

SHA512
5ecf6b3a8f3e8c82cd88fa1ce14d928f526e359fda6198fe99373294e2fe68d4c0ebf1f352afeee843f65676daad2aa179660bb39bc3f0158925cd3c75ead956

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
1.3MB

MD5
67faa8bf3e002c6279166928cb6b7049

SHA1
7bf8d4c3fbb8de096e63b01efc8379989cf307c6

SHA256
c2d5f67e7615754fa2523d91d5691ad30b4bd5a89938343996ee320d56dde20e

SHA512
3d16303ef728b59686d9460c541668bfdaf0fe91ffb725af020333b0d0c8059d8b4196db4e1250f924283dffb1794b73b676146f96effab44261d335a9a4f47e

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
Filesize
338KB

MD5
74f9696be4b46f04a1263c3181405c35

SHA1
cf66b349beaa2bc25ed5807763e32018e4304c7b

SHA256
d6e8bee1a9476ed3be229f4be81cc1154f1ed425e50e74fd1abcd76c56ea062c

SHA512
f122e00b795476809994733028346d82945566ce4c2be26444f02e077658ccb1ba0f3fe221cef37837941054fe4b3b54b3f9a74861f890e56544d1453823fd68

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll
Filesize
380KB

MD5
c14000f68306f1cf0ec799df9568ae01

SHA1
788d8d7a0ba86ba6c7ef4f7ae50cdc65ddb348ff

SHA256
53b040341ce80f246c8437a99df5252a48801e2154eb94dc50af54a75d8d85ac

SHA512
2d4769949832794ce310474f843b696ea8eeb819554ecd72c449981988a6f8fbc5155d84a97d8a4c015348b3dfe6708f88c64b257d4a4d0d4a03dd068dda4113

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll
Filesize
644KB

MD5
12e4bf48a0914cca0cd6d9e4a8f20ebe

SHA1
e574d7a42c6ac3d386ea8913180a91fdad4c10a4

SHA256
6143ff02a0cbab4b65db1b294b699f4bacaa854436cb6fe8f0951d93b10f2c13

SHA512
58bcfc8ff674349078a28aaad3d78b9ba69856131a023505820745a92ac60fa89de4dc2a0900a089f6002e35fd61c613ae4ff9e73e6b1af33b7a43b6a2e3a3e9

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll
Filesize
260KB

MD5
5e8673834662ac42b8363e19bc719282

SHA1
bb1c1ed731830a03db47d232e748df4e4d196db9

SHA256
a64a113955ec0d89ae6ff357f9bb1063c7dd29fe5610ee516a94ac17b11172c2

SHA512
3cf558b2d3ca03aed1ef0cfe36fb7ff3fe7a3af63a4c3b0cb6cf13c58baacae17e5a01bad743affae8c4f5b9f5425dd4a97755aca2ded99e70d782f699a9e225

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll
Filesize
365KB

MD5
95d30b282132fb591fd5fdd94e52af05

SHA1
eb7abe2f02c19ee41e4efc2506337288141d70ed

SHA256
e6c04dc8359b2c76f765fce37ec123d33acbc5ce93e60022ba88eb7c867ac3f6

SHA512
9e4ea23519d243d6d3ae93d2501f05f35aa1cc6264adb8f180f8a255bd35fb7996e110ac0ec7960fa0b93062be45eb0c0922d9597e76ee8180781cc5c9a9c792

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll
Filesize
716KB

MD5
50a261e0b310ec4f1c4d92cb50200686

SHA1
df407c3d8b9b837a18de379f20d6795e18beb143

SHA256
3cbbff541de8fef4d235c9b0ed1e51bfb0f6a0fc3182d5df81ab8ccfedd75b7e

SHA512
eafc354f7fbeaf746f87e3c246f6391f2c634d0059d2d0b3763ce838e24f42134f28775c2983f87e2e793d245955d272c8561875b504ea9b26225c211560e5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.msi
Filesize
19.4MB

MD5
f6656b36e7571e9a1de681e5eb9e5777

SHA1
1966c637bce55229764f231e1c3a3f326162bfa9

SHA256
09dca19adeeadb296f83c68525880f4838b5a678558572fea5d471907a6ea878

SHA512
2e6e5c4a981ff46b9f817d7d4c3ba8d5163e8e87ade3ccd7dc1cfe0ffbebfe8388d903d99fafbda7472114e839d2fcc1fa9af2189a8140be01965d81530e5fd3

Download Submit
C:\Windows\Installer\MSI5E5C.tmp
Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
C:\Windows\Installer\e575b30.msi
Filesize
3.2MB

MD5
9ea5bceef40e8f1f859d1c548675f489

SHA1
9025d5628f542772b6b0b143fb85d192cee605eb

SHA256
4c8e1c96b178fcec1fa82ef830a2eb0023058f5bec00d5024a75e8d33ac4dc01

SHA512
f70c52e22566812b13f5703ad33d4f919c59e0176edbd8d9304770c28185746848b55ea94f042db078fd9697ebc176322edde49a0b617707b04923ecfe110014

Download Submit
memory/1140-94-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/1140-92-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1140-95-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/1328-181-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/1328-182-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/1328-179-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2740-116-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/2740-115-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/2740-112-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/3128-206-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/3128-224-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/3128-207-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/3128-208-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4216-99-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/4216-110-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4300-128-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4300-154-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4300-186-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4524-200-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-185-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-251-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-247-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-243-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-239-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-162-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4524-235-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-173-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4524-172-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/4524-231-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-227-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-222-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-218-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-210-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-196-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-192-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download
memory/4524-189-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4524-187-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4708-194-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-215-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-158-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/4708-151-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/4708-152-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/4708-148-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/4708-153-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/4708-190-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-180-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/4708-157-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/4708-156-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/4708-198-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-136-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4708-144-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4708-203-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-145-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/4708-143-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/4708-142-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4708-176-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/4708-183-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-216-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4708-175-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4708-220-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-249-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-132-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/4708-225-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-155-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/4708-229-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-245-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-233-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-159-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/4708-237-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/4708-161-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/4708-241-0x0000000000350000-0x0000000001840000-memory.dmp

Filesize
20.9MB

Download
memory/5044-160-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/5044-171-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/5044-170-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5044-169-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/5044-184-0x0000000000310000-0x0000000000E2D000-memory.dmp

Filesize
11.1MB

Download