rurat | 20ab498b278b14f3786f634778a04d219c74e9fd8517b98f4aca313c9934b7f2

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Електронний план евакуації.exe
Size

20.1MB
MD5

9b40a1519801020305e31e553a3e82ab
SHA1

cdb31b4af42b3fb27527839ecf26d1c26f2a5d06
SHA256

5158482849c818c270f302c1dfa06d770ed2b5056cf393d60fd56817636866da
SHA512

57fb1869dee12253b97d787e26398ee2cd00c8bea8feaa737ffe0c61f5cad342a956cc0357cfb3551d31425df5cf857db560b3b97d16e57d5a8596d45f42bca9
SSDEEP

393216:zTrD0wz5HtKIdVtvz75Un+2PJ3L6LBQ45TDmZmLCAJ+JuuPUg9ScrRl:TgwdHUyVtvz75Un+uhs5TWmODgyaA

Score

10^/10

rurat backdoor trojan

Malware Config

Signatures

RuRAT
RuRAT is a remote admin tool sold as legitimate software but regularly abused in malicious phishing campaigns.
trojan backdoor rurat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rfusclient.exerfusclient.exerfusclient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 9 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exerutserv.exe

pid	process
1660	rfusclient.exe
2088	rutserv.exe
2312	rutserv.exe
2436	rutserv.exe
2340	rutserv.exe
1816	rfusclient.exe
1796	rfusclient.exe
2192	rfusclient.exe
1964	rutserv.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
2960	MsiExec.exe
2088	rutserv.exe
2088	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
2436	rutserv.exe
2436	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
1964	rutserv.exe
1964	rutserv.exe

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

3 2848 msiexec.exe
5 2848 msiexec.exe
7 2848 msiexec.exe

flow	pid	process
3	2848	msiexec.exe
5	2848	msiexec.exe
7	2848	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 55 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrvui_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\vpd_sdk.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrv_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrv_rupd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\vpdisp.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\emf2pdf.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\pdfout.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\progressbar.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\properties.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrv_rupd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\MessageBox.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrv_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrvui_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f76427c.msi	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_start_85DB64512C79429FA70AC6C0611579DD.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_start_85DB64512C79429FA70AC6C0611579DD.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_stop_B603677802D142C98E7A415B72132E14.exe	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\f76427c.msi	msiexec.exe
File created	C:\Windows\Installer\f76427f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_settings_E3BFC76BE38F4CF79D2ED7163B7DECEE.exe	msiexec.exe
File created	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_stop_B603677802D142C98E7A415B72132E14.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\en_server_settings_E3BFC76BE38F4CF79D2ED7163B7DECEE.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76427f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FBD.tmp	msiexec.exe
File created	C:\Windows\Installer\f764281.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\ARPPRODUCTICON.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\PackageCode = "18BC6BFBD2A8CF147A73C58FBE730039"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\AuthorizedLUAApp = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ADD21FF3AD83F6644B3E7657CAFE5583	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ADD21FF3AD83F6644B3E7657CAFE5583\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\ProductName = "Remote Utilities - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\Version = "117571586"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\ProductIcon = "C:\\Windows\\Installer\\{3FF12DDA-38DA-466F-B4E3-6775ACEF5538}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\ADD21FF3AD83F6644B3E7657CAFE5583	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ADD21FF3AD83F6644B3E7657CAFE5583\SourceList\PackageName = "install.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exerutserv.exe

pid	process
1660	rfusclient.exe
1660	rfusclient.exe
2088	rutserv.exe
2088	rutserv.exe
2088	rutserv.exe
2088	rutserv.exe
2088	rutserv.exe
2088	rutserv.exe
2088	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
2436	rutserv.exe
2436	rutserv.exe
2436	rutserv.exe
2436	rutserv.exe
2436	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
1816	rfusclient.exe
1816	rfusclient.exe
1796	rfusclient.exe
1796	rfusclient.exe
1816	rfusclient.exe
2192	rfusclient.exe
2192	rfusclient.exe
1964	rutserv.exe
1964	rutserv.exe
1964	rutserv.exe
1964	rutserv.exe
1964	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeSecurityPrivilege	2848	msiexec.exe
Token: SeCreateTokenPrivilege	2700	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2700	msiexec.exe
Token: SeLockMemoryPrivilege	2700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2700	msiexec.exe
Token: SeMachineAccountPrivilege	2700	msiexec.exe
Token: SeTcbPrivilege	2700	msiexec.exe
Token: SeSecurityPrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeLoadDriverPrivilege	2700	msiexec.exe
Token: SeSystemProfilePrivilege	2700	msiexec.exe
Token: SeSystemtimePrivilege	2700	msiexec.exe
Token: SeProfSingleProcessPrivilege	2700	msiexec.exe
Token: SeIncBasePriorityPrivilege	2700	msiexec.exe
Token: SeCreatePagefilePrivilege	2700	msiexec.exe
Token: SeCreatePermanentPrivilege	2700	msiexec.exe
Token: SeBackupPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeShutdownPrivilege	2700	msiexec.exe
Token: SeDebugPrivilege	2700	msiexec.exe
Token: SeAuditPrivilege	2700	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2700	msiexec.exe
Token: SeChangeNotifyPrivilege	2700	msiexec.exe
Token: SeRemoteShutdownPrivilege	2700	msiexec.exe
Token: SeUndockPrivilege	2700	msiexec.exe
Token: SeSyncAgentPrivilege	2700	msiexec.exe
Token: SeEnableDelegationPrivilege	2700	msiexec.exe
Token: SeManageVolumePrivilege	2700	msiexec.exe
Token: SeImpersonatePrivilege	2700	msiexec.exe
Token: SeCreateGlobalPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rfusclient.exe

pid process

1796 rfusclient.exe
1796 rfusclient.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

rfusclient.exe

pid process

1796 rfusclient.exe
1796 rfusclient.exe

pid	process
1796	rfusclient.exe
1796	rfusclient.exe

pid	process
1796	rfusclient.exe
1796	rfusclient.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
2088	rutserv.exe
2088	rutserv.exe
2088	rutserv.exe
2088	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
2312	rutserv.exe
2436	rutserv.exe
2436	rutserv.exe
2436	rutserv.exe
2436	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
1964	rutserv.exe
1964	rutserv.exe
1964	rutserv.exe
1964	rutserv.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Електронний план евакуації.exemsiexec.exerutserv.exerfusclient.exe

description	pid	process	target process
PID 2212 wrote to memory of 2700	2212	Електронний план евакуації.exe	msiexec.exe
PID 2212 wrote to memory of 2700	2212	Електронний план евакуації.exe	msiexec.exe
PID 2212 wrote to memory of 2700	2212	Електронний план евакуації.exe	msiexec.exe
PID 2212 wrote to memory of 2700	2212	Електронний план евакуації.exe	msiexec.exe
PID 2212 wrote to memory of 2700	2212	Електронний план евакуації.exe	msiexec.exe
PID 2848 wrote to memory of 2960	2848	msiexec.exe	MsiExec.exe
PID 2848 wrote to memory of 2960	2848	msiexec.exe	MsiExec.exe
PID 2848 wrote to memory of 2960	2848	msiexec.exe	MsiExec.exe
PID 2848 wrote to memory of 2960	2848	msiexec.exe	MsiExec.exe
PID 2848 wrote to memory of 2960	2848	msiexec.exe	MsiExec.exe
PID 2848 wrote to memory of 2960	2848	msiexec.exe	MsiExec.exe
PID 2848 wrote to memory of 2960	2848	msiexec.exe	MsiExec.exe
PID 2848 wrote to memory of 1660	2848	msiexec.exe	rfusclient.exe
PID 2848 wrote to memory of 1660	2848	msiexec.exe	rfusclient.exe
PID 2848 wrote to memory of 1660	2848	msiexec.exe	rfusclient.exe
PID 2848 wrote to memory of 1660	2848	msiexec.exe	rfusclient.exe
PID 2848 wrote to memory of 2088	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2088	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2088	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2088	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2312	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2312	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2312	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2312	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2436	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2436	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2436	2848	msiexec.exe	rutserv.exe
PID 2848 wrote to memory of 2436	2848	msiexec.exe	rutserv.exe
PID 2340 wrote to memory of 1816	2340	rutserv.exe	rfusclient.exe
PID 2340 wrote to memory of 1816	2340	rutserv.exe	rfusclient.exe
PID 2340 wrote to memory of 1816	2340	rutserv.exe	rfusclient.exe
PID 2340 wrote to memory of 1816	2340	rutserv.exe	rfusclient.exe
PID 2340 wrote to memory of 1796	2340	rutserv.exe	rfusclient.exe
PID 2340 wrote to memory of 1796	2340	rutserv.exe	rfusclient.exe
PID 2340 wrote to memory of 1796	2340	rutserv.exe	rfusclient.exe
PID 2340 wrote to memory of 1796	2340	rutserv.exe	rfusclient.exe
PID 1816 wrote to memory of 2192	1816	rfusclient.exe	rfusclient.exe
PID 1816 wrote to memory of 2192	1816	rfusclient.exe	rfusclient.exe
PID 1816 wrote to memory of 2192	1816	rfusclient.exe	rfusclient.exe
PID 1816 wrote to memory of 2192	1816	rfusclient.exe	rfusclient.exe
PID 2340 wrote to memory of 1964	2340	rutserv.exe	rutserv.exe
PID 2340 wrote to memory of 1964	2340	rutserv.exe	rutserv.exe
PID 2340 wrote to memory of 1964	2340	rutserv.exe	rutserv.exe
PID 2340 wrote to memory of 1964	2340	rutserv.exe	rutserv.exe

C:\Users\Admin\AppData\Local\Temp\Електронний план евакуації.exe
"C:\Users\Admin\AppData\Local\Temp\Електронний план евакуації.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i install.msi /qn
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24A0ADD096299FB6FC27B01C81F3C712
2⤵
- Loads dropped DLL
PID:2960

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\install.msi"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1796

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f764280.rbs
Filesize
40KB

MD5
916e85515cf700d54064a9ff98eb0a3b

SHA1
521621386dd6821f0c3d903c6d31d85177ce7a14

SHA256
db12efae4a58a728e044438afbb8f143b6f4ef3ccd1eea7c7c2ca13d88f89b30

SHA512
bf7c1965ba5f84c5122c40419bdd15870cea1df1e588086be1efb59e7d83774d3c2f3e3b7cce97a5402115d8a5fe8608ef7d54fb36546a37b1ebf6fd75ee2c50

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll
Filesize
52KB

MD5
b2e6147f97dae696265a089f98ce8106

SHA1
418f20ec486b7a9368ceff183e7cebae9ba52101

SHA256
44917b2c260fea3a0f4691f6e986c25e31b3f9ff22dcd055526199b4d8a54051

SHA512
789dd02281b71fab54f42b92b5c0c76c0266c40100dbe532ad3ebbf968e8a9e674f0be57e2ffdb10eb4a6b4faa15a6a6a92907c020c6cd2990427d890d7f5026

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
1.3MB

MD5
b0433711581916700978618558131929

SHA1
6513c7c14f19fa37c73926fc098a9da678621e04

SHA256
26b24dcd9cb7ab8761ae7fb597704f81e2a6ede6572a247c39a969960dbba539

SHA512
a1d8bcd4b641b5e54a4435a70e19a56ecce6dc9c7d9b6fc28f7829de96d139c9cfd10f35f096529f8d33583bea8ffe1b6c2636f2710d9d01f1a7513f77db8589

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
1.4MB

MD5
1a381021d2adfb33de5f3b8733780d93

SHA1
d73b2adf8e533f556bbf750f325b5ef579506922

SHA256
4ffdf9449a1801eb1549e3b404a499ad12c3a08cbdd53dce769d99c472e9e210

SHA512
4a71a3c4a3bf73682d9d5cdde24d0582c1115524f0b3e174c11820cce9cab49e8869d977af52414487ac0aec0f8d533692ff7535b4fef6d17fa577f77cb7f2cd

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
1.5MB

MD5
2ec57cb14ed983cca67128ef51fd7e6b

SHA1
7b842aa8b01276336735b1f6efd0a522ecdc7a9c

SHA256
ad052785163db01e3fbd0ba9759e23d982b702c8f954c58a20b0bb0aa064f7ef

SHA512
86d7217203814338a63ed8d96a50a3581f9a30c331690325c144eaefebaf2c00ffa65713e81caf389285c6ae1689ab3ff37758bd020ae02736f3167211736157

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
250KB

MD5
2f823b0f582f44b189a102b7b9cd0bd9

SHA1
3a024dcf02bac3396572805eacf07752c29cf1ed

SHA256
718634266950c81358eb14f77f0a3683e78678f32e7f8e72c31ed9f620b01ab2

SHA512
7d8d5f741316c6a219051cb2148c4272a37c4fc34270638eb122df4f56df046abe59224e40a96214e3bab0f84f521db2e4af2b6a0b7080852d0ff605cc501a7a

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
140KB

MD5
e25d379c09f8b90710ebcf4c9d85ab96

SHA1
eceae640e70616ff4deed66509b06669c02bbe68

SHA256
2b53db652532265b2217ca63fc193edb83b84013c08ecfd5bc708ba2b0c7d613

SHA512
a5bcacc4fbc660052ac013f24bf7f80000e2a6b0f604fb66eab63ddfb4e8eb5057a0c4691fec7f05151ee67c2963ea4cf87573dd007c20edab87acb4bbcc2a98

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
Filesize
336KB

MD5
9cede5026df54503ffc7e3c059493aba

SHA1
527e4a32f14f6a15f8956aa5a19e6448084a8934

SHA256
1238791cf948d31462181a40bb8ead72c1c77ef60bbe663d0a577ecc6c4c122e

SHA512
ff9fc247e825f770cf19b84f345d0a2d63cc59220a98f6534446d9293500faea17350bca279721367b932737446683a37f8549d3b9c73c4b0c9dc25030fbd21c

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
681KB

MD5
14de3fec944b51bc5c4f567467e8c760

SHA1
d22d7dd08daf07dd4c4ae84e46c71ae9699a6275

SHA256
a60108231bde6577ff42afbd4e3e873094c270b8a41dc6bab22cc72c7e6550f4

SHA512
582ac38de6ebc9136c8bfe97f14b6430bb7275d6377a5b663677ee1681e6738f1f9d2bf58295f72480fcf5c13f3013f6f37a47435aa2961fcc0227e0eb6ba2a1

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
676KB

MD5
485aae4a59940a426c9e4b52eb2638a0

SHA1
1a4cd4626eac26f18a3a33f3ef78f02517b97e59

SHA256
df2b888359144c0d24aa680e15dfc56e3dd542429c949fc79c1c8e8de572482b

SHA512
f611242d699f100592e85b48ceaccf8aae34cf4dc8b657e081771704feff5cf6aa477deded345d5e5f7057ac64ef1a610cb68ded3f24f8a176456a19847ecca8

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
246KB

MD5
76003581cd3378fa231fc331d61fec97

SHA1
49982874ed29db6fde0335654d272b20a6a4bda7

SHA256
4ff563f9896995e79ec3e92a16fa54ae10fb8cefdec4fb1a3a6ab44d9a5d880a

SHA512
d49f84d5a61f37a7813e7fe882651407be328c4fd089c8a4673d885d9a388985ce9c66f4dd29d72fd0980437cc062b152fcc691fc33c3fd24351a09b50814f96

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
1.1MB

MD5
ef550027c7db2406b7f8ee89b73e12a4

SHA1
b394852f556c6062aa756e25c5224fc7780c0d64

SHA256
dba5e4d1d9db2dfe6ae08daded6f5f25dcedc29ee98d35a431fa1f1c6fc615df

SHA512
47105f897335588e03ab4afdb2baa45b2c5c788363dfdf3e5cfc0f476530f765ee58176ae3159c27258a48e2cff6f0a043b41293cc2cd1cdc2189441b1d776cc

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
505KB

MD5
3284a3735d5d44a86939dd5db98ff576

SHA1
4b228423cd271a50f7b2139f09cd4b9674a07f04

SHA256
de9aa428582fc370bcad1c0410a23f70f1d9897d98b49f245c8c0e4f64284f34

SHA512
9323debab90f68ff5efe9e14ea539b2fe2c00758c7377074530d31f26a23a433c6c54fbf4e739961aa88a85045232a38f45b039a29f7245e6dc68a3d3c0969f7

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
Filesize
3.4MB

MD5
b990aa4530245097b3da0f3e81ddf939

SHA1
c1c0b36728cea8a74b68f607de63668980637247

SHA256
52067713b339ffa0d6d8f23294654365c3c685864c2e29359d7cafcee0aecc40

SHA512
9c9c217133a9f6122219db2136f035d05d00e34b0e6007ba1c2ee15d0d97027e6d542223f5ce06fa4f245e53d2217bdce50d4e169aa41f575069f74fa101ebfe

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
Filesize
338KB

MD5
74f9696be4b46f04a1263c3181405c35

SHA1
cf66b349beaa2bc25ed5807763e32018e4304c7b

SHA256
d6e8bee1a9476ed3be229f4be81cc1154f1ed425e50e74fd1abcd76c56ea062c

SHA512
f122e00b795476809994733028346d82945566ce4c2be26444f02e077658ccb1ba0f3fe221cef37837941054fe4b3b54b3f9a74861f890e56544d1453823fd68

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll
Filesize
380KB

MD5
c14000f68306f1cf0ec799df9568ae01

SHA1
788d8d7a0ba86ba6c7ef4f7ae50cdc65ddb348ff

SHA256
53b040341ce80f246c8437a99df5252a48801e2154eb94dc50af54a75d8d85ac

SHA512
2d4769949832794ce310474f843b696ea8eeb819554ecd72c449981988a6f8fbc5155d84a97d8a4c015348b3dfe6708f88c64b257d4a4d0d4a03dd068dda4113

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll
Filesize
388KB

MD5
394b46ba59fac2a752ec97b1688e5e9e

SHA1
55c0942cbd4505ccddd84735b69b20b2278985ff

SHA256
d23e92d595e23f6c628ccd0a433fe3c8a4040ad22b9d1f5da0c64112a18b0513

SHA512
a2ef2acc252097e2625fa0cc845de1c11343a25455011c74922ff24fb788f5519bc8294c144cfc079acf641ed3be38dbbc1ddee1b4b9a29e8c67bd3430f7ea73

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll
Filesize
260KB

MD5
5e8673834662ac42b8363e19bc719282

SHA1
bb1c1ed731830a03db47d232e748df4e4d196db9

SHA256
a64a113955ec0d89ae6ff357f9bb1063c7dd29fe5610ee516a94ac17b11172c2

SHA512
3cf558b2d3ca03aed1ef0cfe36fb7ff3fe7a3af63a4c3b0cb6cf13c58baacae17e5a01bad743affae8c4f5b9f5425dd4a97755aca2ded99e70d782f699a9e225

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll
Filesize
260KB

MD5
36e2e8f7161484b188b4df580bb734d0

SHA1
4a17b8d365d075d6223ab6bbfadce3ff768aee68

SHA256
0adbd33c4e97042f54cb219ce82999da2e6426019a8f429e91bba0e5aa0a645e

SHA512
272d73cfac2ec49efc185d3698210fc21a5ccc48a731f0400082ef64f94d5473aef0a93f9fb49a1115f488256ac053278aa7caa59743f1623e93500df0e5d7af

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll
Filesize
402KB

MD5
2a2c8d37624aaebd4d7284a64ff2f6aa

SHA1
b45098d39deaea594aa056e2e33a8436e44913c0

SHA256
7c238b0c11635afd9fa96ef88c4bc738a3b8fe657593bc78bce3804c3c2c3b67

SHA512
8cfd759a4760d3e244d18faf7d102c7f2f64d07e35ccad8beaaabb31aac738eb5ab0d8f1f801ddf5ea619e81878e75f1e2c3f116345f6942c8301995f8306caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4433.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar453F.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.msi
Filesize
21.6MB

MD5
f54fd78880d87f1021cefcdafb516ff8

SHA1
4b46b0ea729abf629899bd2d74149b524b9767a5

SHA256
06956bb4eee98f34f035af11666459b2f9fc5f7485b2cf16f6afb17bfa15a061

SHA512
9b25552a6d91e4db3b7a9f04896810f0a77d29bc86a7b7c2cda72bc50a5326c567d12b2075f95ea9dc92510989a2ae16f57a9e3003de846041f7e6dd244e06ea

Download Submit
C:\Windows\Installer\f76427c.msi
Filesize
5.1MB

MD5
469ad124ae7132fc7ee3f507d49b2963

SHA1
a99fc31cc06cf41ee1ea02cc9bd0d6e231947b48

SHA256
29e7f1917a21eba11e563e19b788de732a16d6c3012099ec266d894734d9753e

SHA512
b6b542c111ef39172e40e5f112b6da25512051f0f68694512b82badbb17a753b80d57844c756b0787cb98009caeec829d8a0f3033d3cf8195d6c6b4bf2f84c6f

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
99KB

MD5
de25232c393e1cf4f0fdb369b9fbae83

SHA1
4aeafbbbf9a72cbb53681c8483eebaedfa046f24

SHA256
2b31d96671cab2c26c50ee3d8c60bc4f42150dd03c15489a63ae65ef1c4a123e

SHA512
b203729891fc608334ef9534a3131116676f8892c84532a38efc1eae68dad3377286e8ead6d83d04b66671d2f416c9602ada905997e8680078b362c0b5904d86

Download Submit
\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
939KB

MD5
3a2b54979a665f5587a0f66a36b34525

SHA1
e188a71256725fc1654825c7e2d2f706ade4008b

SHA256
84ccb5f90bbc3f71f3d73987a2701ba362774d03b78bba9060b1e26acdc84a28

SHA512
d1d9ad9a3f1c23574218f620ea70df05174a1482a363e1cc4f8ed6d882a63fa67e6ade96f94b188dad40b3d61e623e35bf43327f8e44135a2f61e32ee2a08453

Download Submit
\Program Files (x86)\Remote Utilities - Host\libeay32.dll
Filesize
597KB

MD5
91699aa810c8d4e355b6358b34787164

SHA1
94c82de2833bccd2e72a88234bb0371165737943

SHA256
c221f185d500e9df661acbf2f7e8934002d623c60b2103b78feeea25e46f9711

SHA512
0cebcdcdc3e1006e2eee7e184b5ec59654af662709ec2382efb04fc944dc5b16e9d50a226c191de89ce4437382c2a947fd1b5b6f7523accae5181c56d438ee6f

Download Submit
\Program Files (x86)\Remote Utilities - Host\ssleay32.dll
Filesize
99KB

MD5
41bab79350f8ed56959995b740cdeb6a

SHA1
6597ceb38057c666ace488c6a8f9d4ba95863a0c

SHA256
fde60ae26905a00148a666734bda4f0e7262bc3353420e17022a7172d42cc23c

SHA512
754f103f0bc7e8b6e597fdfef3e18554dfb7d761bd11a6a7f3ddf46bc2c50650b8dee9575688c3495f0e0ea331ef80597f0ece17c0195faf9aeaec62ac271ef0

Download Submit
\Windows\Installer\MSI45DC.tmp
Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
memory/1660-125-0x00000000012E0000-0x0000000001DFD000-memory.dmp

Filesize
11.1MB

Download
memory/1660-122-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1796-266-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-199-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1796-262-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-270-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-274-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-258-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-278-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-254-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-250-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-243-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-218-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-205-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1796-200-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1796-219-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1796-223-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-194-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1796-231-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1796-227-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1816-198-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/1816-186-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1816-216-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1816-217-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/1816-196-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1816-197-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1964-240-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/1964-236-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1964-241-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2088-130-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2088-141-0x00000000003A0000-0x0000000001890000-memory.dmp

Filesize
20.9MB

Download
memory/2088-140-0x00000000003A0000-0x0000000001890000-memory.dmp

Filesize
20.9MB

Download
memory/2192-214-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/2192-211-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2192-212-0x00000000000C0000-0x0000000000BDD000-memory.dmp

Filesize
11.1MB

Download
memory/2212-6-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/2312-147-0x00000000009C0000-0x0000000001EB0000-memory.dmp

Filesize
20.9MB

Download
memory/2312-146-0x00000000009C0000-0x0000000001EB0000-memory.dmp

Filesize
20.9MB

Download
memory/2312-143-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2340-179-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2340-185-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2340-208-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2340-207-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2340-206-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2340-177-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2340-221-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-276-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-225-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-193-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2340-229-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-192-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2340-234-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-163-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2340-188-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2340-189-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2340-187-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2340-215-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-183-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2340-247-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-248-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/2340-182-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/2340-252-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-180-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2340-256-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-175-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2340-260-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-173-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/2340-264-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-174-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2340-268-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2340-166-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2340-272-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2436-190-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2436-191-0x00000000010B0000-0x00000000025A0000-memory.dmp

Filesize
20.9MB

Download
memory/2436-159-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download