rurat | eb41f9ce5d810092148309af2f932db5b938c57c9c2b8a5a5078e6cb45349b7b

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

21.8MB
MD5

04d54700f8274d32b60222bc1497ebf0
SHA1

1150c1a0e45c6ee5c671a5907c8f057ece4bc1e5
SHA256

eb41f9ce5d810092148309af2f932db5b938c57c9c2b8a5a5078e6cb45349b7b
SHA512

879667c69733b6edad159a5882b4f3a4a8f968c030b4a868742e591b61a5ff476b05f910bc3f2d64583f0bf385aaba6df4ee2ddbd91fbef0f9d74e8d05175fe1
SSDEEP

393216:/LfK/LS1/Lgntpvw2D3r4qg8RvPNJrHS7i9CPq7E0YIpUx9gZjpWQma9BKyIo9Xt:zIQy+qRvPn2+CP+EUE9vFo9L5

Score

10^/10

rurat backdoor trojan

Malware Config

Signatures

RuRAT
RuRAT is a remote admin tool sold as legitimate software but regularly abused in malicious phishing campaigns.
trojan backdoor rurat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rfusclient.exerfusclient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 8 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

336 rfusclient.exe
1256 rutserv.exe
2952 rutserv.exe
3028 rutserv.exe
1756 rutserv.exe
3016 rfusclient.exe
568 rfusclient.exe
1816 rfusclient.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid process

1788 MsiExec.exe
1256 rutserv.exe
1256 rutserv.exe
2952 rutserv.exe
2952 rutserv.exe
3028 rutserv.exe
3028 rutserv.exe
1756 rutserv.exe
1756 rutserv.exe

pid	process
1788	MsiExec.exe
1256	rutserv.exe
1256	rutserv.exe
2952	rutserv.exe
2952	rutserv.exe
3028	rutserv.exe
3028	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exetmp.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 58 IoCs

Processes:

msiexec.exetmp.exerutserv.exe

description	ioc	process
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.lng	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Utilities - Host	tmp.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\emf2pdf.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\vpdisp.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\properties.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrvui_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrv_rupd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrvui_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\MessageBox.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\printer.ico	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Utilities - Host\Logs\rut_log_2024-04.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrv_rupd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Logs\rut_log_2024-04.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\unidrv_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\pdfout.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\unidrv_rupd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\rupd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\progressbar.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\vpd_sdk.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\common\rupd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Utilities - Host\Printer\x64\rupdpm.dll	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\en_server_settings_E3BFC76BE38F4CF79D2ED7163B7DECEE.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76344d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\en_server_stop_B603677802D142C98E7A415B72132E14.exe	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\en_server_settings_E3BFC76BE38F4CF79D2ED7163B7DECEE.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f76344d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\en_server_stop_B603677802D142C98E7A415B72132E14.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI391C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76344a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BAC.tmp	msiexec.exe
File created	C:\Windows\Installer\f76344f.msi	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\en_server_start_85DB64512C79429FA70AC6C0611579DD.exe	msiexec.exe
File created	C:\Windows\Installer\f76344a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\en_server_start_85DB64512C79429FA70AC6C0611579DD.exe	msiexec.exe

Kills process with taskkill 28 IoCs

evasion

Processes:

taskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXE

pid	process
1968	taskkill.EXE
1568	taskkill.EXE
1612	taskkill.EXE
2996	taskkill.EXE
1672	taskkill.EXE
1824	taskkill.EXE
3012	taskkill.EXE
2440	taskkill.EXE
672	taskkill.EXE
640	taskkill.EXE
2800	taskkill.EXE
1604	taskkill.EXE
860	taskkill.EXE
2580	taskkill.EXE
2500	taskkill.EXE
2960	taskkill.EXE
2852	taskkill.EXE
2744	taskkill.EXE
2440	taskkill.EXE
2320	taskkill.EXE
328	taskkill.EXE
904	taskkill.EXE
608	taskkill.EXE
2116	taskkill.EXE
1588	taskkill.EXE
2232	taskkill.EXE
1500	taskkill.EXE
2840	taskkill.EXE

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\Version = "117506055"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\PackageName = "RUT.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\PackageCode = "44DE303A322600D4C9BD766C631B960B"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\ProductName = "Remote Utilities - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D2BA10AC219E0CF4DA25D216B00E1DFC\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\ProductIcon = "C:\\Windows\\Installer\\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\AuthorizedLUAApp = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\D2BA10AC219E0CF4DA25D216B00E1DFC	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D2BA10AC219E0CF4DA25D216B00E1DFC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerutserv.exetaskkill.EXErutserv.exerfusclient.exerfusclient.exetaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXEtaskkill.EXE

pid	process
336	rfusclient.exe
336	rfusclient.exe
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
2952	rutserv.exe
2952	rutserv.exe
2952	rutserv.exe
2952	rutserv.exe
2952	rutserv.exe
3028	rutserv.exe
3028	rutserv.exe
3028	rutserv.exe
1824	taskkill.EXE
1824	taskkill.EXE
3028	rutserv.exe
3028	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
3016	rfusclient.exe
3016	rfusclient.exe
568	rfusclient.exe
568	rfusclient.exe
3016	rfusclient.exe
1612	taskkill.EXE
1612	taskkill.EXE
1588	taskkill.EXE
1588	taskkill.EXE
2580	taskkill.EXE
2580	taskkill.EXE
2840	taskkill.EXE
2840	taskkill.EXE
2440	taskkill.EXE
2440	taskkill.EXE
3012	taskkill.EXE
3012	taskkill.EXE
672	taskkill.EXE
672	taskkill.EXE
640	taskkill.EXE
640	taskkill.EXE
328	taskkill.EXE
328	taskkill.EXE
2800	taskkill.EXE
2800	taskkill.EXE
2320	taskkill.EXE
2320	taskkill.EXE
904	taskkill.EXE
904	taskkill.EXE
1604	taskkill.EXE
1604	taskkill.EXE
2996	taskkill.EXE
2996	taskkill.EXE
1968	taskkill.EXE
1968	taskkill.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rfusclient.exe

pid process

3016 rfusclient.exe

pid	process
3016	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exetmp.exe

description	pid	process
Token: SeRestorePrivilege	2604	msiexec.exe
Token: SeTakeOwnershipPrivilege	2604	msiexec.exe
Token: SeSecurityPrivilege	2604	msiexec.exe
Token: SeCreateTokenPrivilege	1948	tmp.exe
Token: SeAssignPrimaryTokenPrivilege	1948	tmp.exe
Token: SeLockMemoryPrivilege	1948	tmp.exe
Token: SeIncreaseQuotaPrivilege	1948	tmp.exe
Token: SeMachineAccountPrivilege	1948	tmp.exe
Token: SeTcbPrivilege	1948	tmp.exe
Token: SeSecurityPrivilege	1948	tmp.exe
Token: SeTakeOwnershipPrivilege	1948	tmp.exe
Token: SeLoadDriverPrivilege	1948	tmp.exe
Token: SeSystemProfilePrivilege	1948	tmp.exe
Token: SeSystemtimePrivilege	1948	tmp.exe
Token: SeProfSingleProcessPrivilege	1948	tmp.exe
Token: SeIncBasePriorityPrivilege	1948	tmp.exe
Token: SeCreatePagefilePrivilege	1948	tmp.exe
Token: SeCreatePermanentPrivilege	1948	tmp.exe
Token: SeBackupPrivilege	1948	tmp.exe
Token: SeRestorePrivilege	1948	tmp.exe
Token: SeShutdownPrivilege	1948	tmp.exe
Token: SeDebugPrivilege	1948	tmp.exe
Token: SeAuditPrivilege	1948	tmp.exe
Token: SeSystemEnvironmentPrivilege	1948	tmp.exe
Token: SeChangeNotifyPrivilege	1948	tmp.exe
Token: SeRemoteShutdownPrivilege	1948	tmp.exe
Token: SeUndockPrivilege	1948	tmp.exe
Token: SeSyncAgentPrivilege	1948	tmp.exe
Token: SeEnableDelegationPrivilege	1948	tmp.exe
Token: SeManageVolumePrivilege	1948	tmp.exe
Token: SeImpersonatePrivilege	1948	tmp.exe
Token: SeCreateGlobalPrivilege	1948	tmp.exe
Token: SeShutdownPrivilege	1948	tmp.exe
Token: SeIncreaseQuotaPrivilege	1948	tmp.exe
Token: SeCreateTokenPrivilege	1948	tmp.exe
Token: SeAssignPrimaryTokenPrivilege	1948	tmp.exe
Token: SeLockMemoryPrivilege	1948	tmp.exe
Token: SeIncreaseQuotaPrivilege	1948	tmp.exe
Token: SeMachineAccountPrivilege	1948	tmp.exe
Token: SeTcbPrivilege	1948	tmp.exe
Token: SeSecurityPrivilege	1948	tmp.exe
Token: SeTakeOwnershipPrivilege	1948	tmp.exe
Token: SeLoadDriverPrivilege	1948	tmp.exe
Token: SeSystemProfilePrivilege	1948	tmp.exe
Token: SeSystemtimePrivilege	1948	tmp.exe
Token: SeProfSingleProcessPrivilege	1948	tmp.exe
Token: SeIncBasePriorityPrivilege	1948	tmp.exe
Token: SeCreatePagefilePrivilege	1948	tmp.exe
Token: SeCreatePermanentPrivilege	1948	tmp.exe
Token: SeBackupPrivilege	1948	tmp.exe
Token: SeRestorePrivilege	1948	tmp.exe
Token: SeShutdownPrivilege	1948	tmp.exe
Token: SeDebugPrivilege	1948	tmp.exe
Token: SeAuditPrivilege	1948	tmp.exe
Token: SeSystemEnvironmentPrivilege	1948	tmp.exe
Token: SeChangeNotifyPrivilege	1948	tmp.exe
Token: SeRemoteShutdownPrivilege	1948	tmp.exe
Token: SeUndockPrivilege	1948	tmp.exe
Token: SeSyncAgentPrivilege	1948	tmp.exe
Token: SeEnableDelegationPrivilege	1948	tmp.exe
Token: SeManageVolumePrivilege	1948	tmp.exe
Token: SeImpersonatePrivilege	1948	tmp.exe
Token: SeCreateGlobalPrivilege	1948	tmp.exe
Token: SeRestorePrivilege	2604	msiexec.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
1256	rutserv.exe
2952	rutserv.exe
2952	rutserv.exe
2952	rutserv.exe
2952	rutserv.exe
3028	rutserv.exe
3028	rutserv.exe
3028	rutserv.exe
3028	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe
1756	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exetaskeng.exerutserv.exerfusclient.exe

description	pid	process	target process
PID 2604 wrote to memory of 1788	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1788	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1788	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1788	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1788	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1788	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 1788	2604	msiexec.exe	MsiExec.exe
PID 2604 wrote to memory of 336	2604	msiexec.exe	rfusclient.exe
PID 2604 wrote to memory of 336	2604	msiexec.exe	rfusclient.exe
PID 2604 wrote to memory of 336	2604	msiexec.exe	rfusclient.exe
PID 2604 wrote to memory of 336	2604	msiexec.exe	rfusclient.exe
PID 2604 wrote to memory of 1256	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 1256	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 1256	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 1256	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 2952	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 2952	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 2952	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 2952	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 3028	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 3028	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 3028	2604	msiexec.exe	rutserv.exe
PID 2604 wrote to memory of 3028	2604	msiexec.exe	rutserv.exe
PID 1492 wrote to memory of 1824	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 1824	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 1824	1492	taskeng.exe	taskkill.EXE
PID 1756 wrote to memory of 3016	1756	rutserv.exe	rfusclient.exe
PID 1756 wrote to memory of 3016	1756	rutserv.exe	rfusclient.exe
PID 1756 wrote to memory of 3016	1756	rutserv.exe	rfusclient.exe
PID 1756 wrote to memory of 3016	1756	rutserv.exe	rfusclient.exe
PID 1756 wrote to memory of 568	1756	rutserv.exe	rfusclient.exe
PID 1756 wrote to memory of 568	1756	rutserv.exe	rfusclient.exe
PID 1756 wrote to memory of 568	1756	rutserv.exe	rfusclient.exe
PID 1756 wrote to memory of 568	1756	rutserv.exe	rfusclient.exe
PID 1492 wrote to memory of 1612	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 1612	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 1612	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 1588	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 1588	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 1588	1492	taskeng.exe	taskkill.EXE
PID 3016 wrote to memory of 1816	3016	rfusclient.exe	rfusclient.exe
PID 3016 wrote to memory of 1816	3016	rfusclient.exe	rfusclient.exe
PID 3016 wrote to memory of 1816	3016	rfusclient.exe	rfusclient.exe
PID 3016 wrote to memory of 1816	3016	rfusclient.exe	rfusclient.exe
PID 1492 wrote to memory of 2580	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 2580	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 2580	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 2840	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 2840	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 2840	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 2440	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 2440	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 2440	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 3012	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 3012	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 3012	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 672	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 672	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 672	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 640	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 640	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 640	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 328	1492	taskeng.exe	taskkill.EXE
PID 1492 wrote to memory of 328	1492	taskeng.exe	taskkill.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADE1A0865E2363C0B131C7D0337D9134
  2⤵
  - Loads dropped DLL
  PID:1788
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\RUT.msi"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:336
- C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2952
- C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3028

C:\Windows\system32\taskeng.exe
taskeng.exe {53403D73-ECBD-4AD9-8B52-C04AE901B435} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:1588
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:672
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:328
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:1604
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:2852
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:2744
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:2440
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:1568
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:2500
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:1672
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:860
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:2960
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:608
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:2232
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:1500
- C:\Windows\system32\taskkill.EXE
  C:\Windows\system32\taskkill.EXE /fi "USERNAME ne NT AUTHORITY\SYSTEM" /im rfusclient.exe /f
  2⤵
  - Kills process with taskkill
  PID:2116

C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    PID:1816
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a
    3⤵
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76344e.rbs

Filesize
31KB

MD5
118fd38645571d31b46d344dc9592e1e

SHA1
cce6beda956d729f3a0b41823eda1861d1910286

SHA256
aa5936c2605fa4f0f4c46e36cd684e4f198dd67de3bc0102db2099ae7b45ab51

SHA512
68d24cfa0db9a430dde05bb25f476ca0c30dff31908feecd7b71fa611ef5d483ff9436f97e7173b2163879d9cd4f2b9eebd188e129268de39f286d80bf0d7bea

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\Logs\rut_log_2024-04.html

Filesize
5KB

MD5
e70669d6ed31fa03c322635206d8a742

SHA1
b8496165157b2c0574b40daf449747c17dc2dc2a

SHA256
e995d9c7aa783c8c5c96ae957dac766843f1554521d3533486d14c6ef828cc27

SHA512
3403306bd650e478ca15e0a0ca7d798a7dba25527a8c020b89d11912d1818b3fadf1fc28c3a5107c6039fb6fdf6c18f2dd57fbd74d3390c7608a14ae22260446

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\eventmsg.dll

Filesize
51KB

MD5
ca8a4346b37cdd0220792885c5937b30

SHA1
eef05f4b7fb5f8aabfb93d10a6451cc77b489864

SHA256
ccd5b9e5947f956e880bd2285a6091dc9f1ee9b0eb8df627ec4e72b451a1c745

SHA512
c286b0fa9d24a85fe63d3a3d801f135d12409736742c4fc16ba1dc15529df136577dc8975736146437dd56467576fdedb4ac50cf05ab054547504f3dc5ca0c35

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe

Filesize
10.4MB

MD5
68a63168426f28bc06c7c06eac6f09d5

SHA1
ae947e6b9b3322f7837396f606e64b0f372fa78c

SHA256
02003563373af3215195ca0c23af03f845921fcfa31f58770927266b03c2ac40

SHA512
7beabe39242237dd19606392bb7970f2eea0e8d467ee42a10e8ad3608e9b6a6aa060e4cd112fce425677dcc33ea062c6224574599351e81060c348409eeb11a6

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe

Filesize
19.8MB

MD5
31c0bafc3f6e6c7322a7a32ac1bd87da

SHA1
42fd1a41e1eef5998de674ec068c702f1ee3b4f3

SHA256
f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

SHA512
ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\vp8decoder.dll

Filesize
380KB

MD5
41acd8b6d9d80a61f2f686850e3d676a

SHA1
38428a08915cf72dd2eca25b3d87613d9aa027dd

SHA256
36993fc3312ce757c8adeca3e5969e1fcc11d5b51b12c458ba8d54d73b64d4e7

SHA512
d174638965ec781cbcb2927ceafb295c3176dc78da8938467faca3e512a42fe71a9dc1070f23e1c95f0b7c157fff3b00a8b572c39e4670713564f1310360ed23

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\vp8encoder.dll

Filesize
1.6MB

MD5
2ac39d6990170ca37a735f2f15f970e8

SHA1
8148a9cdc6b3fe6492281ebad79636433a6064ab

SHA256
0961d83cb25e1a50d5c0ec2f9fb0d17f2504dae0b22a865f6e1ea8e987e1c6fa

SHA512
7e30fde909d5f8efd6c2e40e125525697267273163ac35cf53561a2bd32e5dad8e4fba32905f53e422c9c73b8ad9a0c151f8d36042c5f156b50bf42dc21a9cee

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmmux.dll

Filesize
260KB

MD5
8a683f90a78778fba037565588a6f752

SHA1
011939c1fa7b73272db340c32386a13e140adc6a

SHA256
bd520007864b44e0bda7a466384d12c3c3f328326cf3549ba1853a58ccdbc99d

SHA512
9280fbb121f8b94f57560d1be3bcfe5e7c308d54dac278f13ea6c00256444fb9f17f543dd0d32c9844460818c1a50d83b26ce51c79698e9ca7a304652a3f5ea9

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisdecoder.dll

Filesize
365KB

MD5
c9d412c1d30abb9d61151a10371f4140

SHA1
87120faa6b859f5e23f7344f9547b2fc228af15b

SHA256
f3465ce8a23db5e8228eed5a60a6f7a096d1a9adf3012c39bc6d81d4e57e8e9e

SHA512
1c020afa89cdae55f4dcb80a455dc1b352f40455142f3947ed29c3e3d51fbd465b6e0ea16cd103186c252783a3f2a7f7c417e4df5727d9b2db511b650308face

Download Submit
C:\Program Files (x86)\Remote Utilities - Host\webmvorbisencoder.dll

Filesize
860KB

MD5
a59f69797c42324540e26c7c7998c18c

SHA1
7f7bc5bc62a8744f87a7d2e30cc6dd74c72e19b4

SHA256
83e1c1eb55bfd0f2d85d41c1e4dee65046b064ccb263ec7f412a5f329c75cfd1

SHA512
837f244e6b70658974506ac35bd3ee2d413b89fe4b26e75f4a61cc7bec63e999c9c2cffb690ad567f74962bab13f2f5471300cd0e0cfe61bb1084072cb55c38b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
10e1c42c0be9eb046dd3f732e185fe37

SHA1
a3eb911e21bc73427d2f7b774a4f0af23756f46d

SHA256
dd9e2e3e99bd06add3397c5f251e21d4606af5cbc0f792a91d9fed66184d1d97

SHA512
5ce8720b246759b94971f39f6681c3a61e5320ec8ac25676a7cb3742d0be3017b82c43e38f6237ef41f3f6b4cc5e8cdc8c79278b55834ffcee96161d3e3e8061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9DC55B6ECA0E0CFB5BEE05293846B717

Filesize
727B

MD5
034f9d4ffb365645bf5e45b0b608b33c

SHA1
14849bce8bfa520ea2cc413c1486a45bc45601ff

SHA256
b6b6ca7130c029b072aeaa3c1eac26d689de0f27100c19fca992eea10b807b3f

SHA512
b8682aaf0d47807f1a60f022b3b62c8feb805ca10fa9ea0ea481c4b86cb94a7fbeb95a302fc7906e38887fadd65b628a7a30b2469ba25276e8132ba3bfd1f6d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
5ef3197565233a02f5a5d3f44cc26c8f

SHA1
def617809c4edc82dbd2715c7fa4183c8b2015b6

SHA256
d18608f4f8c51e9beb104b3906e05ac8e587f59576d1ed48b81b4c03525cda10

SHA512
326985b6c4fd6f5c6e2ad595763d110f0bd1620bb0732fb3856e6e726d1c7dabaa5d5a8a1f0c86f1872a1518f6b1f743be1b17cd0058eda7cdee321c21219f4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
271b038ed29a4f7dfe7b557685e101b6

SHA1
f07f2c2c0b984f7d2e7d5b6f9cf3deea2325bc9d

SHA256
8e36caf716e92028795dfcecdd4b809221906a1c22f39ced8833d2eb7dec50c0

SHA512
560b2ca7668ab94f351090e0c15fbf0ab4c680c8139b1a2e117dfa29a4ea57d2a7f2286082395574c7a6c113b547d3339469dccf34b81e64c3837adadb0c87b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9DC55B6ECA0E0CFB5BEE05293846B717

Filesize
408B

MD5
422904669718356c7c03817ed31a5ea1

SHA1
dc852623bd67c88ee0020c13edc282df61ab3237

SHA256
ff35e8c37308b94df33b2283a6786a114bbb800b016aa51cde5fb103edbf4f1e

SHA512
566af0009f82f7c07c7d6ad862d868933acde64f5d97cc5b642bf3e927619de89f7df31c9b065645aabe506a83d4c49a88de31ad2c64203beb6e5141d8011de6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e15047ed00ea1ae43712542901a47e0

SHA1
a77749647fa6e10f3f85945c0bb8cfe925e5e6a2

SHA256
886eebf6fc5ee2dd022d4a7119303791074b69a874bc88df3942ab920cd099ec

SHA512
f31e156c293803c8801f032854d5c556658ecec922ba0464eabac32200fba9b59c07c121912899bbfe810f3ad7ae24892bbb31609d65b52d697a0e99f62a1906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
192eb40e1dde81f1587b276d07d57710

SHA1
42929e3cd19ab2b3d9285a8fe2ac31779d99bca5

SHA256
4e51d020f97d921510894080ca2aa4e15e1c37812331bf3f5f5827254b235616

SHA512
738b15888b2a5705ca925cee73bef6f69cbb6fc8c64eacb14ce612646c794e1aa0482bb19dc08e6ba6ae32340ca35f816a051245d6614ea9a0f179540ad03496

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUT.msi

Filesize
21.5MB

MD5
80e61e367f4eaafff79b82849ab40ccd

SHA1
70aa7a8ca5f774c3cbee55277eafdfafdf4c9155

SHA256
346926866d193881de8a86bc4793194195f7751d2d3fe6b02fed5e9199890795

SHA512
913152b6b32c314ce9c587f6991cd9b284859b8a347dfdef63050c1db5eaf536159b042c1670bafe2a9f35350059d7c136e6a1b760b0f7688b8b660ff9b2c2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3841.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Installer\MSI391C.tmp

Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/336-147-0x0000000000400000-0x0000000000F17000-memory.dmp

Filesize
11.1MB

Download
memory/568-195-0x0000000000400000-0x0000000000F17000-memory.dmp

Filesize
11.1MB

Download
memory/1256-161-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-218-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-235-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-244-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-200-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-242-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-202-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-204-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-207-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-239-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-237-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-220-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-230-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1756-224-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/1816-199-0x0000000000400000-0x0000000000F17000-memory.dmp

Filesize
11.1MB

Download
memory/1948-177-0x0000000000BE0000-0x0000000002176000-memory.dmp

Filesize
21.6MB

Download
memory/2952-165-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3016-225-0x0000000000400000-0x0000000000F17000-memory.dmp

Filesize
11.1MB

Download
memory/3016-223-0x0000000000400000-0x0000000000F17000-memory.dmp

Filesize
11.1MB

Download
memory/3016-219-0x0000000000400000-0x0000000000F17000-memory.dmp

Filesize
11.1MB

Download
memory/3016-201-0x0000000000400000-0x0000000000F17000-memory.dmp

Filesize
11.1MB

Download
memory/3028-194-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download