rms | e37360817ca1827b57733bcbc87029a41af2f9edb3318555b6065c0b8cf71e46

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d97f291a3f61d51ef5b1b88ddb5a1323.exe
Size

6.2MB
MD5

d97f291a3f61d51ef5b1b88ddb5a1323
SHA1

fa572033baa1e5f0d4192a7163127e331e864209
SHA256

e37360817ca1827b57733bcbc87029a41af2f9edb3318555b6065c0b8cf71e46
SHA512

e11b2c6039c5391e57a617ff8456b8ff633d66eaafb1e5de639830af406ebed78afac95b81b813f253cd00a6e1c570b9de3e863a62d91b2d5fce64ff0fb9cb01
SSDEEP

196608:hPO1tdNQ/gLyzFQgR/CdRFbxCpgDYihHFAel06:hm3Q42zFQY6d7xVYAAel06

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 10 IoCs

Processes:

rfusclient.exerutserv.exerfusclient.exerutserv.exerfusclient.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	process
3008	rfusclient.exe
2516	rutserv.exe
2668	rfusclient.exe
316	rutserv.exe
1392	rfusclient.exe
2204	rutserv.exe
2628	rutserv.exe
1876	rfusclient.exe
3044	rfusclient.exe
1892	rfusclient.exe

Loads dropped DLL 32 IoCs

Processes:

MsiExec.exerfusclient.exerutserv.exerfusclient.exerutserv.exerfusclient.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	process
560	MsiExec.exe
3008	rfusclient.exe
3008	rfusclient.exe
3008	rfusclient.exe
3008	rfusclient.exe
3008	rfusclient.exe
3008	rfusclient.exe
3008	rfusclient.exe
2516	rutserv.exe
2668	rfusclient.exe
2668	rfusclient.exe
2668	rfusclient.exe
2668	rfusclient.exe
2668	rfusclient.exe
2668	rfusclient.exe
316	rutserv.exe
1392	rfusclient.exe
1392	rfusclient.exe
1392	rfusclient.exe
1392	rfusclient.exe
1392	rfusclient.exe
1392	rfusclient.exe
2204	rutserv.exe
2628	rutserv.exe
1876	rfusclient.exe
1876	rfusclient.exe
3044	rfusclient.exe
3044	rfusclient.exe
2628	rutserv.exe
3044	rfusclient.exe
1892	rfusclient.exe
1892	rfusclient.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 17 IoCs

Processes:

rutserv.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\rfusclient.exe	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rutserv.exe	msiexec.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msimg32.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rwln.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rasadhlp.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8encoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcp90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcr90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\ripcserver.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8decoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\gdiplus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\oledlg.dll	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f764119.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4377.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f764116.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f764116.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41A2.tmp	msiexec.exe
File created	C:\Windows\Installer\f76411b.msi	msiexec.exe
File created	C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f764119.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 12 IoCs

Processes:

rfusclient.exemsiexec.exerfusclient.exerfusclient.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "RtlUpd.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2636 PING.EXE

pid	process
2636	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msiexec.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
2936	msiexec.exe
2936	msiexec.exe
2516	rutserv.exe
2516	rutserv.exe
316	rutserv.exe
316	rutserv.exe
2204	rutserv.exe
2204	rutserv.exe
2628	rutserv.exe
2628	rutserv.exe
2628	rutserv.exe
2628	rutserv.exe
1876	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

1892 rfusclient.exe

pid	process
1892	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeSecurityPrivilege	2936	msiexec.exe
Token: SeCreateTokenPrivilege	2720	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2720	msiexec.exe
Token: SeLockMemoryPrivilege	2720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2720	msiexec.exe
Token: SeMachineAccountPrivilege	2720	msiexec.exe
Token: SeTcbPrivilege	2720	msiexec.exe
Token: SeSecurityPrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeLoadDriverPrivilege	2720	msiexec.exe
Token: SeSystemProfilePrivilege	2720	msiexec.exe
Token: SeSystemtimePrivilege	2720	msiexec.exe
Token: SeProfSingleProcessPrivilege	2720	msiexec.exe
Token: SeIncBasePriorityPrivilege	2720	msiexec.exe
Token: SeCreatePagefilePrivilege	2720	msiexec.exe
Token: SeCreatePermanentPrivilege	2720	msiexec.exe
Token: SeBackupPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeShutdownPrivilege	2720	msiexec.exe
Token: SeDebugPrivilege	2720	msiexec.exe
Token: SeAuditPrivilege	2720	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2720	msiexec.exe
Token: SeChangeNotifyPrivilege	2720	msiexec.exe
Token: SeRemoteShutdownPrivilege	2720	msiexec.exe
Token: SeUndockPrivilege	2720	msiexec.exe
Token: SeSyncAgentPrivilege	2720	msiexec.exe
Token: SeEnableDelegationPrivilege	2720	msiexec.exe
Token: SeManageVolumePrivilege	2720	msiexec.exe
Token: SeImpersonatePrivilege	2720	msiexec.exe
Token: SeCreateGlobalPrivilege	2720	msiexec.exe
Token: SeShutdownPrivilege	2156	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2156	msiexec.exe
Token: SeCreateTokenPrivilege	2156	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2156	msiexec.exe
Token: SeLockMemoryPrivilege	2156	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2156	msiexec.exe
Token: SeMachineAccountPrivilege	2156	msiexec.exe
Token: SeTcbPrivilege	2156	msiexec.exe
Token: SeSecurityPrivilege	2156	msiexec.exe
Token: SeTakeOwnershipPrivilege	2156	msiexec.exe
Token: SeLoadDriverPrivilege	2156	msiexec.exe
Token: SeSystemProfilePrivilege	2156	msiexec.exe
Token: SeSystemtimePrivilege	2156	msiexec.exe
Token: SeProfSingleProcessPrivilege	2156	msiexec.exe
Token: SeIncBasePriorityPrivilege	2156	msiexec.exe
Token: SeCreatePagefilePrivilege	2156	msiexec.exe
Token: SeCreatePermanentPrivilege	2156	msiexec.exe
Token: SeBackupPrivilege	2156	msiexec.exe
Token: SeRestorePrivilege	2156	msiexec.exe
Token: SeShutdownPrivilege	2156	msiexec.exe
Token: SeDebugPrivilege	2156	msiexec.exe
Token: SeAuditPrivilege	2156	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2156	msiexec.exe
Token: SeChangeNotifyPrivilege	2156	msiexec.exe
Token: SeRemoteShutdownPrivilege	2156	msiexec.exe
Token: SeUndockPrivilege	2156	msiexec.exe
Token: SeSyncAgentPrivilege	2156	msiexec.exe
Token: SeEnableDelegationPrivilege	2156	msiexec.exe
Token: SeManageVolumePrivilege	2156	msiexec.exe
Token: SeImpersonatePrivilege	2156	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d97f291a3f61d51ef5b1b88ddb5a1323.execmd.exemsiexec.exerfusclient.exerfusclient.exerfusclient.exe

description	pid	process	target process
PID 1996 wrote to memory of 2392	1996	d97f291a3f61d51ef5b1b88ddb5a1323.exe	cmd.exe
PID 1996 wrote to memory of 2392	1996	d97f291a3f61d51ef5b1b88ddb5a1323.exe	cmd.exe
PID 1996 wrote to memory of 2392	1996	d97f291a3f61d51ef5b1b88ddb5a1323.exe	cmd.exe
PID 1996 wrote to memory of 2392	1996	d97f291a3f61d51ef5b1b88ddb5a1323.exe	cmd.exe
PID 1996 wrote to memory of 2392	1996	d97f291a3f61d51ef5b1b88ddb5a1323.exe	cmd.exe
PID 1996 wrote to memory of 2392	1996	d97f291a3f61d51ef5b1b88ddb5a1323.exe	cmd.exe
PID 1996 wrote to memory of 2392	1996	d97f291a3f61d51ef5b1b88ddb5a1323.exe	cmd.exe
PID 2392 wrote to memory of 2260	2392	cmd.exe	chcp.com
PID 2392 wrote to memory of 2260	2392	cmd.exe	chcp.com
PID 2392 wrote to memory of 2260	2392	cmd.exe	chcp.com
PID 2392 wrote to memory of 2260	2392	cmd.exe	chcp.com
PID 2392 wrote to memory of 2720	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2720	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2720	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2720	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2720	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2720	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2720	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2156	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2156	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2156	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2156	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2156	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2156	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2156	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2636	2392	cmd.exe	PING.EXE
PID 2392 wrote to memory of 2636	2392	cmd.exe	PING.EXE
PID 2392 wrote to memory of 2636	2392	cmd.exe	PING.EXE
PID 2392 wrote to memory of 2636	2392	cmd.exe	PING.EXE
PID 2392 wrote to memory of 2748	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2748	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2748	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2748	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2748	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2748	2392	cmd.exe	msiexec.exe
PID 2392 wrote to memory of 2748	2392	cmd.exe	msiexec.exe
PID 2936 wrote to memory of 560	2936	msiexec.exe	MsiExec.exe
PID 2936 wrote to memory of 560	2936	msiexec.exe	MsiExec.exe
PID 2936 wrote to memory of 560	2936	msiexec.exe	MsiExec.exe
PID 2936 wrote to memory of 560	2936	msiexec.exe	MsiExec.exe
PID 2936 wrote to memory of 560	2936	msiexec.exe	MsiExec.exe
PID 2936 wrote to memory of 560	2936	msiexec.exe	MsiExec.exe
PID 2936 wrote to memory of 560	2936	msiexec.exe	MsiExec.exe
PID 2936 wrote to memory of 3008	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 3008	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 3008	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 3008	2936	msiexec.exe	rfusclient.exe
PID 3008 wrote to memory of 2516	3008	rfusclient.exe	rutserv.exe
PID 3008 wrote to memory of 2516	3008	rfusclient.exe	rutserv.exe
PID 3008 wrote to memory of 2516	3008	rfusclient.exe	rutserv.exe
PID 3008 wrote to memory of 2516	3008	rfusclient.exe	rutserv.exe
PID 2936 wrote to memory of 2668	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 2668	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 2668	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 2668	2936	msiexec.exe	rfusclient.exe
PID 2668 wrote to memory of 316	2668	rfusclient.exe	rutserv.exe
PID 2668 wrote to memory of 316	2668	rfusclient.exe	rutserv.exe
PID 2668 wrote to memory of 316	2668	rfusclient.exe	rutserv.exe
PID 2668 wrote to memory of 316	2668	rfusclient.exe	rutserv.exe
PID 2936 wrote to memory of 1392	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 1392	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 1392	2936	msiexec.exe	rfusclient.exe
PID 2936 wrote to memory of 1392	2936	msiexec.exe	rfusclient.exe
PID 1392 wrote to memory of 2204	1392	rfusclient.exe	rutserv.exe

C:\Users\Admin\AppData\Local\Temp\d97f291a3f61d51ef5b1b88ddb5a1323.exe
"C:\Users\Admin\AppData\Local\Temp\d97f291a3f61d51ef5b1b88ddb5a1323.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2636
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /I "RtlUpd.msi" /qn
    3⤵
    PID:2748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F352B2A7914E1BD071DD333C8624FC32
  2⤵
  - Loads dropped DLL
  PID:560
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2516
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:316
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2204

C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2628
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- - C:\Windows\SysWOW64\sysfiles\rfusclient.exe
    C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: SetClipboardViewer
    PID:1892
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76411a.rbs

Filesize
15KB

MD5
c6406266b9ac311c1b1d135a540aff39

SHA1
3bd974cb45609bdf8238fee291374ac5ead78087

SHA256
38b75d46b20f81f4dd5ca26f2041565dec987b8d83134243d4c4e035864e2d7d

SHA512
874f0024a3ea3312c3a4aca0dd9835f0265aec194b61ac943b861e1a574c853f8c43f171baf6390bf32c63ede4e9d62dfcdf515f638e8db3d7dcf2087433008e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RtlUpd.msi

Filesize
6.5MB

MD5
f3d8e9ba4e1209b85f4e87d732b5d2f6

SHA1
307534738abf2296867b4a71f8e696503e18dc42

SHA256
7b39554e0edbac87b3be7a998c357198e90d392b7f6b8a27b45d746bda89be86

SHA512
0e2d4c02d5d3929f6c70544292f609a09b64dbcba4fcea9fa3e63b70459495284783b4669af266f770693428d71bde1815f20d814d878a0a37288a0c6e91acaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
215B

MD5
51b644f5cb754199205c02e4af829275

SHA1
e38e39968569bce0251025002827f47e884be863

SHA256
fe281a763bd026d03e6134f72161b589c8c9fba9eef8930c442f9fb7d8c30d84

SHA512
a670c3ab3ab1a0e37478421588669c017a8230f1f85142030c94a207bcb1f506205eecc95d9442ae857a463397c552b07f71ae566cf8a8868f819a6da422174c

Download Submit
C:\Windows\Installer\MSI41A2.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\f764116.msi

Filesize
1.0MB

MD5
e7702d9253b645ac6850208a1dd7aff5

SHA1
0a705ff896cb358412330b3edf63f2f35e128ea2

SHA256
7d92adb23dd8b41c7b560e53595336520c1b7210eb0dbeac6c34ede53db5b578

SHA512
ac5755db00d44377b77873c86ee1b92f0fbc31caee6356e8fc5682e7a31d31254f9ff7d218fbdf42be335fb506e824645183499a80954f78a71dd2c21ace88a5

Download Submit
C:\Windows\SysWOW64\sysfiles\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll

Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Windows\SysWOW64\sysfiles\gdiplus.dll

Filesize
1.6MB

MD5
871c903a90c45ca08a9d42803916c3f7

SHA1
d962a12bc15bfb4c505bb63f603ca211588958db

SHA256
f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

SHA512
985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

Download Submit
C:\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
C:\Windows\SysWOW64\sysfiles\msvcp90.dll

Filesize
556KB

MD5
b2eee3dee31f50e082e9c720a6d7757d

SHA1
3322840fef43c92fb55dc31e682d19970daf159d

SHA256
4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

SHA512
8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

Download Submit
C:\Windows\SysWOW64\sysfiles\msvcr90.dll

Filesize
637KB

MD5
7538050656fe5d63cb4b80349dd1cfe3

SHA1
f825c40fee87cc9952a61c8c34e9f6eee8da742d

SHA256
e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

SHA512
843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

Download Submit
C:\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
C:\Windows\SysWOW64\sysfiles\rasadhlp.dll

Filesize
3KB

MD5
8679b09cc9600a1f11a3c09cec12637b

SHA1
cad5c92e561b64d1f4e1f70c7596dcf186304ecb

SHA256
7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f

SHA512
93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
1.8MB

MD5
b9970146e4ca4bcfef0a5a861b80fa68

SHA1
b4757779c0411e36e6e47bb1002bf3242c01b403

SHA256
e73ac784c35547255b5e5920347434fbc062bf659a7f7683b66f6a260737845e

SHA512
9b1d1013890f86e31bb52eae00a9f88e2f5b4989f002f140940c70cc89eb56800b451d28807008a591265aaddeb6a3bd65d45053bc3c1d2e7005017e975f0d64

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
1.1MB

MD5
3ef4c953d8fc6633ab8e25742d061233

SHA1
bf1b1ab8790f96848fb318d5017805edb3eb0a03

SHA256
b03dffcd26146cf1f1ecd6bed1d585bfe0caff5d78e82dae404a2929f7453b10

SHA512
204461fa2dc70e0f91650208be240c803c64c5f8e63a22167dbce51a2a149975946b30447bd8012b64fdd1df529571c93278ca67ae86cf398238d9c4d9ab6545

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
2.7MB

MD5
d15d8d587aecb983613a5453c2ff86e7

SHA1
d0684c3fa7f9e69ba7e503e5d23a91dd88757d30

SHA256
13a6c16625d7c30780680ba8ba2b4844a7263bb6dbd89734a96d7c9f0ff994f4

SHA512
d7c7eca94aacf1bfdd6f26e7774f9c66b78a590e15fde374cc21ecd40fa30613659b56b9b2dd7f8116e0a19f8447f6050eec7315b94f4cab2d24b8af4dcea21e

Download Submit
C:\Windows\SysWOW64\sysfiles\ripcserver.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
2.0MB

MD5
bd8a69dfdafd0c9f74f7c9edfe93ca6a

SHA1
0679d0c5d01010783e5c6f870cd00a61b00956b0

SHA256
39430e274ee5ff626fea308a43244788111874960cc880a28cba49885061dc0a

SHA512
ac979d601f5cbb252c457d6702945bb2220357467146ed3ef2759326c42a541514b3902e2d13c53d6fdd3788176c6b48cb3f055d9ac50298a1ac5791f4237ff5

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
2.5MB

MD5
b98460579f7974aa2d47e62ff6d4a9b4

SHA1
f3730ea6fb51a436ebcb15edb3f12c8b695e0b56

SHA256
caafb8682c517eba086c8e7e5326c4d2be5784cd10351c9b46ab2143b281a341

SHA512
ceae26335cb94ee920f1baf4b03d1a948668adc5b72df12050b2816602d04e687c93697448dd76808df71c7e8ab5306eb3cca081199b8ce9e9888c8a9b5a4ba7

Download Submit
C:\Windows\SysWOW64\sysfiles\vp8decoder.dll

Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Windows\SysWOW64\sysfiles\vp8encoder.dll

Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.1MB

MD5
80af74151bdf4c33f5c19326a436cff0

SHA1
43bf93b46ade225bc3a76b27cc9dd5631bf1844f

SHA256
f3a0bd4f5dc86b1850d96b8837a81d097fccc9ccf1ed4105744be9b55014d8a6

SHA512
55fb7a0e6c7f9a2902c19d60de1dacbf117bda27b715f6672c143c7c42a0b101603792f671cf40df17e0346b30254f9d7d71135d7fbd724f070ac6bf4c54aacf

Download Submit
\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
2.1MB

MD5
4153fc38525c30a289cabf897a0321eb

SHA1
4719a26feddf54e01a9c1e6ec3413de960317745

SHA256
f87d69a5f20f3a2c7cc56577d3bd84f428e88f696a436c2e2d842e40471cfb1d

SHA512
38cf703102ea286f973e3e6ea1ac41e66c4ba349f5cca86fadba8f20dd644b6ec988d9a5888dc62776840e069265ecbd6fd9673482bd617e2dab47c52faa4fe3

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
3.5MB

MD5
d7c784d58fa4248320bc64afc26163a5

SHA1
4065dde9f44fb1ebc5a071e7b8e007c0ee55919b

SHA256
0a9f9cf2b84073d99cfb39f805b0db1ff1c7c8df04b5c584360a5306980bd8f8

SHA512
f4e134a20dc025ecd7ec37edebc08e1829e69b59d05b2b2cc3b206cb24944e3adc71c66b413504964d3335af0ae42793589a6ad967a662d1700e79913391ed5a

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
3.1MB

MD5
bf8caeac34d309b7b588ad7bf26ceefa

SHA1
1e69ca647f5c41866374633f52ca5c746a9a9510

SHA256
c1356cfc4f42d541de340fe05f7510c0530a9a52c82fc51c3eb0683edd74291f

SHA512
1e7737ea606171b09a55e606ea2c8c2debbf9db394df41f3e863a90cdde99b5335f191b6820c8915984c6fd3478e6bd7f2e3523a564c3f566f6ea1957c4272a8

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
2.9MB

MD5
9655f51a05ca341fbb742333d399bc3b

SHA1
03f9543a672cc4432a5af8aba6d060278f7d3c16

SHA256
71ad957c8c4c66f7e471de483e0868e168ba8223e15e4eeb09d6fd27a460cd6d

SHA512
c2867303b9c5228cb733f511cd10f63305a205d67d62b9cfea9fe4227c34140586c87b6c311ae76cdff1c0150314c1a9d726068719d1c3cd27c4180cd4ede3ae

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.5MB

MD5
3c219937366ee037cf5a61b68b04cc26

SHA1
51daeda5bbc936a9490ea4987772d427cc7dc074

SHA256
518b3decaddb1f56965c8dd3601dbba1f1d70b988c9aaa80e284893840c0c578

SHA512
3c01189678120e12bd25ab7b0a8ae550e278bfb7f44d037f9d6ff2dc2e103d2abd7c930af23c1c2cf73b47e94c0bcd52bbc6e91369e5585d8b12162c4d5084f5

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
3.9MB

MD5
92d1303ca10b315715be9b767994bca3

SHA1
d50a39694223236d501d49dc547b229363ef7dd0

SHA256
3b9f8b18b3c9835e93657af1e34b12ef16b1a6996c1033657528b808d4d5dab0

SHA512
8f404a6d61bfd49ae127d37d47be2d7b33ba774dd7e1a6da788b13a13ef59e83af98ecd515183a74896d841331c2e8aaaf69b592c81b73c161e5909e6a4a70ed

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.2MB

MD5
6e1c10fb744fbdb623c336c41abf5b9b

SHA1
726d1cad626d11fff8fa9bf488edd551d506a5da

SHA256
17e2a1e7cc94fbe49b397680475d8b7881b10bd131efcc0605285bed4eb8c3c5

SHA512
7b8d014bde1e29d2071052ca3ded0e055e7d57cbfb12da46ead753e5dd2c97cf5c8469ab6a9d7b6bdc6032c632e0fe0ed16ed399c585d7a97fdc011e68d633bd

Download Submit
memory/316-79-0x0000000074260000-0x0000000074263000-memory.dmp

Filesize
12KB

Download
memory/316-76-0x0000000074260000-0x0000000074263000-memory.dmp

Filesize
12KB

Download
memory/316-78-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/316-77-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/316-128-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1392-131-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1392-132-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1392-93-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1876-122-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1876-155-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1876-143-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1876-142-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1892-138-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1892-137-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/1892-136-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2204-100-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2204-130-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2516-61-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2516-57-0x0000000074270000-0x0000000074273000-memory.dmp

Filesize
12KB

Download
memory/2516-58-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-62-0x0000000074270000-0x0000000074273000-memory.dmp

Filesize
12KB

Download
memory/2628-139-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2628-173-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2628-164-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2628-157-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2628-140-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2628-105-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2628-141-0x00000000019D0000-0x00000000019D6000-memory.dmp

Filesize
24KB

Download
memory/2668-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2668-80-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2668-68-0x0000000074260000-0x0000000074263000-memory.dmp

Filesize
12KB

Download
memory/2668-81-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/3008-46-0x0000000074270000-0x0000000074273000-memory.dmp

Filesize
12KB

Download
memory/3008-63-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/3008-64-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/3008-47-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3044-144-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/3044-145-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/3044-146-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download
memory/3044-147-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3044-161-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/3044-169-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/3044-121-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download