rms | 380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.exe
Size

6.2MB
MD5

2f9dffa0fbcf7f0a855f8b06095feb55
SHA1

aac7d466f910a0f7faa13ef06b9f48fe185f4b2c
SHA256

380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b
SHA512

22fec64fd0cda26b74d3da4fe92b69bd29e77200f8eb82bae658f7e442d09e365c17af215634fcda497a85db36c7f9aa0dad7de551351090f6509ed1f0e2d10b
SSDEEP

196608:8+oCQEZSkSBVTQ1CRV/ZZVSMaJOiNfmyqf5BjCJOJSc8:8sQEZS21CR/8NuZ5BeJAC

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rfusclient.exe2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.exerfusclient.exerfusclient.exerutserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	rutserv.exe

Executes dropped EXE 5 IoCs

Processes:

rfusclient.exerfusclient.exerutserv.exerutserv.exerfusclient.exe

pid process

3128 rfusclient.exe
4724 rfusclient.exe
1504 rutserv.exe
4420 rutserv.exe
3732 rfusclient.exe

pid	process
3128	rfusclient.exe
4724	rfusclient.exe
1504	rutserv.exe
4420	rutserv.exe
3732	rfusclient.exe

Drops file in System32 directory 8 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_6D5B8E0D46046FC4C98A958D41A4CFB6	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 41 IoCs

Processes:

rutserv.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rutserv.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rutserv.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

rutserv.exerutserv.exe

pid	process
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
4420	rutserv.exe
4420	rutserv.exe
4420	rutserv.exe
4420	rutserv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	1504	rutserv.exe
Token: SeTakeOwnershipPrivilege	4420	rutserv.exe
Token: SeTcbPrivilege	4420	rutserv.exe
Token: SeTcbPrivilege	4420	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rfusclient.exe

pid process

3732 rfusclient.exe
3732 rfusclient.exe
3732 rfusclient.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

rfusclient.exe

pid process

3732 rfusclient.exe
3732 rfusclient.exe
3732 rfusclient.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

rutserv.exerutserv.exe

pid process

1504 rutserv.exe
1504 rutserv.exe
1504 rutserv.exe
1504 rutserv.exe
4420 rutserv.exe
4420 rutserv.exe
4420 rutserv.exe
4420 rutserv.exe

pid	process
3732	rfusclient.exe
3732	rfusclient.exe
3732	rfusclient.exe

pid	process
3732	rfusclient.exe
3732	rfusclient.exe
3732	rfusclient.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.execmd.exerfusclient.exerfusclient.exerutserv.exe

description	pid	process	target process
PID 4048 wrote to memory of 3876	4048	2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.exe	cmd.exe
PID 4048 wrote to memory of 3876	4048	2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.exe	cmd.exe
PID 4048 wrote to memory of 3876	4048	2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.exe	cmd.exe
PID 3876 wrote to memory of 3128	3876	cmd.exe	rfusclient.exe
PID 3876 wrote to memory of 3128	3876	cmd.exe	rfusclient.exe
PID 3876 wrote to memory of 3128	3876	cmd.exe	rfusclient.exe
PID 3128 wrote to memory of 4724	3128	rfusclient.exe	rfusclient.exe
PID 3128 wrote to memory of 4724	3128	rfusclient.exe	rfusclient.exe
PID 3128 wrote to memory of 4724	3128	rfusclient.exe	rfusclient.exe
PID 4724 wrote to memory of 1504	4724	rfusclient.exe	rutserv.exe
PID 4724 wrote to memory of 1504	4724	rfusclient.exe	rutserv.exe
PID 4724 wrote to memory of 1504	4724	rfusclient.exe	rutserv.exe
PID 4420 wrote to memory of 3732	4420	rutserv.exe	rfusclient.exe
PID 4420 wrote to memory of 3732	4420	rutserv.exe	rfusclient.exe
PID 4420 wrote to memory of 3732	4420	rutserv.exe	rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f9dffa0fbcf7f0a855f8b06095feb55_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
    rfusclient.exe -deploy
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Users\Admin\AppData\Roaming\RUT-Agent\67001\AD9EEE9164\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\RUT-Agent\67001\AD9EEE9164\rfusclient.exe" -run_agent
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Users\Admin\AppData\Roaming\RUT-Agent\67001\AD9EEE9164\rutserv.exe
        
        "C:\Users\Admin\AppData\Roaming\RUT-Agent\67001\AD9EEE9164\rutserv.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1504
      - C:\Users\Admin\AppData\Roaming\RUT-Agent\67001\AD9EEE9164\rutserv.exe
        
        C:\Users\Admin\AppData\Roaming\RUT-Agent\67001\AD9EEE9164\rutserv.exe -second
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\RUT-Agent\67001\AD9EEE9164\rfusclient.exe
        
        C:\Users\Admin\AppData\Roaming\RUT-Agent\67001\AD9EEE9164\rfusclient.exe /tray /user
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arabic.lg

Filesize
49KB

MD5
c2d79818802cbeadd705484d8e0837f1

SHA1
6ff5cdae101a9fcd8b33f00518d69b834df6438c

SHA256
c931d8b2bbf24b1913c2efc7068504463357c0d52f4c0a5c541d88128eab38dd

SHA512
e9ffa05b3fab21d1d768bfddf836682d8fa9cc2b2dc7de41c9617f41a565ea17ccb5fa4d1d5b1fba067fd7213069f2b57ab1223c2f710581c4c694e1bca188b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Simplified.lg

Filesize
37KB

MD5
2880a7b4754ae9fe8e2a398dc2200c7f

SHA1
749ec042c7e131345cdd65b79fbda4bc97663ce0

SHA256
f5847037948f50f9b43e7afba413bae51e23cc6a701b9df9115862d4c0e6b939

SHA512
85adecb6e368ef688617e27853f31e6b181e3e5e737d23fc4399c56fceb75ce6eca9e5634fdc8d9f411ab36b4ae10a519aa3a5b5d427df83141c58f0f58fa545

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chinese Traditional.lg

Filesize
37KB

MD5
941b5152a84d22957d0ac97e6378886b

SHA1
87788f770fb2ce6be9f4d855156948b3ccccabc6

SHA256
0453249e25af1aa571391c4851ebdb59d2d531b18b52393e69f12fdde77a408a

SHA512
6ff3bbcf84decd62a774086f286157032ef82da0fc85403f9b592cdb920c070adbd12e3fd213e8d4d7fe4f3d96dd9a4db95e933786456cca75dea5c2aba0d5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Czech.lg

Filesize
52KB

MD5
6010c9707936787350196da8ef0f6fcd

SHA1
459475acd7c7d5177ed04ff2a54ee73cd0cf186a

SHA256
fd1f093b49dd56645e91cad9cc3bbb3a163ed5171fe9d9987f358c782a02b874

SHA512
49f47d5044801fbc9f7afed82eb0b7c63fb6256f56873ba0f746496d85d916990eaebbb3967f0902bc0e6a64e1bbadd6b58c41b316a48b72a114e3e4b7b11557

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Danish.lg

Filesize
52KB

MD5
f39a0904bb996a2c0f1a8f5c3b79026d

SHA1
f5043fb70dea903cbbfb5c2e906c7b104e0fc580

SHA256
b299f16c926953afe6464b41aab1f388e8551e4c800e22ef4c79f6b00f2871f9

SHA512
caa7e8b0772da1b54c1516e1b64d6ab2d33d807095e3f5cfb434086ae6f8c2b503cddf54736785ce4e0aac6496d31f54d9d8128c5ec9b669460bf12eb5d2f063

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dutch.lg

Filesize
55KB

MD5
14f1ab1ddf793d2a5077acc6b74c8511

SHA1
d24f467e2606e9c7f44ee36a3380f121afd63346

SHA256
788f00721a50ae903baa2228216e9b8da33d48694b0c0720e7b07f1f5eb2bffb

SHA512
f3263120e6a82aea4fb7c086d3f8b646a68b0ca95ce6e9e64d60328be6f25906f85a5dc821f5782e04587b4026ffc3831b38d87c3916e179e8a8d94fec55a610

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

Filesize
49KB

MD5
722fe688f60b4649265f5177a8c0c0ca

SHA1
9532e0de2b2d1eeacc19f15602904ae14231df6b

SHA256
2e551329bf8cb93e665c17bac916776d75091ff190b7ccff8a48fb0de0d582b5

SHA512
1248a6e94c1f75e398096f2d773822b2faf4e18438628e4874e4fc143bcf8adfc59f145de5838e1d9127795ab2de443ba6ba149e9dac3958d534356f98aa791d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

Filesize
52KB

MD5
43a918e5525a93a0ee95cb389d5af137

SHA1
4aaf281e2e71349dfc1049739b8ef7eb9a7f022a

SHA256
bae337e6a312560dc252986fb5962b53a76b4dd0d0ac82be4a68584e5b93d999

SHA512
c6a10652b58248adcf298ce06cfcf20a47bb280334a7092958fcec481734460a33765c5ef8b6f5ac5cb7434c46c044628b786fb6bcd42b1b1ed5c0a44cac80e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\French.lg

Filesize
55KB

MD5
b2e2e420c42ff3f1a15a55a7082f4db8

SHA1
a9199fc1110a7b94af91f87a64471a9f92cf8502

SHA256
0da35a4653089aa56d55d588383f5d7cfee5c3ac6ab18bfff63ae476a7432317

SHA512
6b4f514d22a96d3a15bbea9bcfc69c366412801a85ecc79e84ff1c7ca61cb03ff8a9230a03a152919f38d9d33eb8da3ab3d9603783cd39f4eb08134b6e513aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\German.lg

Filesize
54KB

MD5
23bd8de97feb30e3a2839fd20d3085e6

SHA1
17cf5ae4f71927007ea0ed5d01b705a341037f32

SHA256
5abe6c28675da74ad7e42db6d8058c5c0c686a65730fdcf0e9f10e8db02578f6

SHA512
7637f7516dad2fa9e7f7c24146353f619fab029033c4c8f1269f4365573341518979048ba9e2533b240ec9fc74d6b6e05ac17bde02cf5c66e584f049fbf9ad89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hebrew.lg

Filesize
46KB

MD5
7f56153d27cb39f39f77157a694e78a9

SHA1
693f5253149ada090c17f4e71d4494517b9698f3

SHA256
f5c3546c791257c5be698dfd2bec288bfdf0d7bf0635da565d7f1c12fce5bbc7

SHA512
837c3f5cc8c53cfa60a6093610985da317eaa8ecefd5e60bff446fe2f18c4e4785d44d9ef30915bdce117e24b10c019774c89db78043bcbbfb128ae359bf94e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Italian.lg

Filesize
54KB

MD5
abfb24fbb43d157bf0cb351b5d79f899

SHA1
25acb7914e88658f197a05253ccaf4747a1d373a

SHA256
72f90bba8609d73510653f7ee86d32a190e28a471644ecf02da0f62acc6a14ce

SHA512
c441917524e95c0e2f1b985c61beed93b8b231c7564538b8db61cb86928af3904ee3eb697795e46aa9857989766c0e68e877b83d309aec13896e8f79fc6d30c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Japanese.lg

Filesize
42KB

MD5
cfe34194adf52a91b17873f4b5ccf25c

SHA1
7166e5b426f041328a40ac7b33c7ceb48c28812c

SHA256
62f739ac1634a0bebdbc9d58c98f1854c9f1b910a0f9cc39a395eaf415972a05

SHA512
ea09f1598553b1e9a98d56754d910f0e1d01cee379863d4326e9a5359d2d613ec8ccddf3aeb67df1602a358756633a9172687270480a6e46da854e4f7efce36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Korean.lg

Filesize
40KB

MD5
0cffb7a11267556cb304448773ae044d

SHA1
d870c5151120339d2bc21fbb3e68b45d124f975e

SHA256
a1980d26e101ab76b24ab39af921d1a62f51ededd852817dc264e3a14999cf34

SHA512
caf769c70acbe00040b36c1e08558624645130de927602bd465cbd302c6eab240ca6b2c6e55e60573d34b1485a88ca579f83170e97061c9fa4fed325a1a7781d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Norwegian.lg

Filesize
51KB

MD5
75221ecbf10ff95ec5be1846ae1296f9

SHA1
bb5430512a45bd05bd0769e943b357027ec7e3f1

SHA256
f5e419e8be9e2117070e64b18b83696da58608c9551c923227afd5d836c0cc8b

SHA512
494c4cd97328bfab4f0e3220fa634d471b9547d7b335d98d16cf720b7d6cb8ea51e69005e37dbfce4ebc1a195a002fe004481652f1ce0e8c592934f199e9997f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Polish.lg

Filesize
53KB

MD5
c4aea33f6ca1e44d2622757809efbe3d

SHA1
f88d67a3b79e4a0edc86913b8e018d8d8d81c38a

SHA256
2cc9e21ea10eeb73e4a2c045be37aa65cfee92a8140bface26ace1cb9eebee74

SHA512
3ec757e41d3b19bd228118b3a464cb62d498b807527cf135d0c2e66bb3be1222387b2e55b2df521e57e64ffdc63ce728e4cee8ebb5ce607895737265ee9c0585

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese, Brazilian.lg

Filesize
54KB

MD5
88ab1daae092daaeef5b989042dee947

SHA1
465999677675539801920b14ebeb3499ade5ab14

SHA256
c24dc2d4cf4b2cb561d6c9a9555a783892fe94a122740baa4a357f965ae17e35

SHA512
b3c66d41563c44442216520349e3652478358b1172a35fd51082ef2089c440901c1fe637ebe593eaaf8f3044e31c8ab1af375f8b46f1a0ef7eb650e6b96805cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Portuguese.lg

Filesize
54KB

MD5
aed6d282a6629e42ecfa3232e23a5216

SHA1
c2f87725f4d92b310c31ecab86223103ce29fedc

SHA256
235b1e0933ddf1c4085d1c6dd7d2422712e533fa3ad68ddbdac853ef3cae666f

SHA512
77948e9590f64716b9e9cba09a76dac488da0f7795e010c85da409dd130df2592719f284b368b288aeed07c5bb604178c40e8d4579854685c99a57a5213a9095

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

Filesize
151KB

MD5
435d9e1fd4b87308f0f91da25530d4ec

SHA1
a9b0c513b930f4c2ef86cb75a8de1fe16eb6d996

SHA256
05040b677d7697b4f97da173c6c07146d3bde327833fd2022bf2cb67f90389ca

SHA512
9a84f8e75c855ca4d3892591e4d2ed4d37368d8ed8c28fd48093534a8283c21a483ab50d930adc10d8dda5fb25338dd247004fdf08dd9f60cf038a0b61fba33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

Filesize
967KB

MD5
534d6f176f6cbc725f9e7db8028cd3f7

SHA1
35b53f2e344f4a908a551409d018a91dc58100d5

SHA256
e713f288a46aad762f76c945467bb3ea7c84edfc56cec1c4c1b40d9f919bdcc0

SHA512
1fc1bd8d094d458541596322588750ecc66a2b3f809b0361a5c104adf72972c4bf2f08e4b58f347e56afd4e8019942ba0ba3346a85169958de1cedfde5a15849

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spanish.lg

Filesize
54KB

MD5
b3d324c27ab00d69faf880e6a00c0d9e

SHA1
1227fa85d17c168273ca76607f94763db4e9071c

SHA256
7f499c32a7228594fbbf14be30666988457f83c394de95676dc808d425076be8

SHA512
9c805925c5bdd42f27095c3a9188df9d44f9ff854c2e0f7cfd23dd8b781ee8261ee660a78ab9d1d16a234413ee57031faef6bcfdf0ee41936f058dfb4cc401dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Swedish.lg

Filesize
51KB

MD5
2f0f8806184b908e3314e72b326a270c

SHA1
0ac6d867e16bb2cd8b442143b752b8d1a796196a

SHA256
bb244095ee74a813a7ac61b3570d2d0730a7884d8fe31cfd25829072df32084d

SHA512
71f6b9f0408a979b9bc4214661ef1b93a8b0d59b44acd325fbd52c72c39c7fe710a715faae17190f84aae3f5d38bf2733444294386214ee9f057b676c674eb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turkish.lg

Filesize
54KB

MD5
bcc703a64040a09407b870196f5e4e45

SHA1
3923c0736d93c8c3108d018dc9ef2681302d2697

SHA256
bb98025305c7954ee15b3f94850164617088864f0685b8f2358389fb94b6f2b1

SHA512
692e7b7e915f2e69359254e416b462e7481844a4ae1bb6274afc2b349714a103ea776b6fa1308a7458ea08505bab2ef78e668ac7625a36a7879d8935e38f0e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

Filesize
414B

MD5
dde9aef2dbb3348503e6f94b96b4679d

SHA1
1e91c6adb4f6c90d0054508ee7f8279bb426f906

SHA256
026729265db5cf426f94baedd9cbff3af67817b48a5f8245ebd17b69702a4d1e

SHA512
a6c529eb05174dc81ddd603aab1b41ef2b4d93ca0ab1ed17a83bb56fa153b1e656956d4fb29ec355dcb75eaf392fe82aca22fa9fc5d7f010ca0240c70a1e65d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

Filesize
86B

MD5
90b15937ff9ec75f7016e171bd1261ce

SHA1
3fa80c58e8bf6c3ab356047cfaa14187328c3732

SHA256
eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a

SHA512
993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\drvinstaller32.exe

Filesize
145KB

MD5
2dc45cbcce2a4d1eb1e28d1d51e53ad6

SHA1
d7a62a73bc27886ed524bc961392038f018c4150

SHA256
f5d93809fdc5912f82201ae5e1626085b5f798c2f4d7c9e5cca7dfacace69d33

SHA512
22819b53defbc83909e3e1ff117816b9720cbfca3c8f27d58ad76ac8187056404b430274d00cc964984fcf23036b246496213dc3146405b92db43d8d2043b2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\drvinstaller64.exe

Filesize
218KB

MD5
bf25bed1f6c00110503ae135e500ebdf

SHA1
4ac12609265f47f75f2cdbe0fa0bf313cfe5e149

SHA256
5517516030166606f2bdcd34a4990dee896a22be1fc23c700fc16743520c519a

SHA512
7f4c14382755b22159d2929503f7e515130e57893399beffa019b90452014520e8d58bb2ee2cb807449e6dd0462e57d092f10f3fe345f2ca355682b2fd616ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
25B

MD5
9b7ac054975f8f7b6fe9a41a18e2d6e7

SHA1
d820008d3732f37a7e4030c4bd414e3764de1af7

SHA256
815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255

SHA512
806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lockscr.cat

Filesize
8KB

MD5
d3710d7c70cdea8ced943458b2206bad

SHA1
d9851beae95f6035fd074706fccfd9cb8fecbc24

SHA256
54a00f5913185f05d2011de575da343c64fac54e7a857ab5f066e68ab11368ef

SHA512
e2d10f269d905c81b91951f61ce80e9c0967e06904c241b16b98e5f1a5441b8d20458028be0df483f8b66e9367b63f184b8678436364b182571db926757cef5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lockscr.inf

Filesize
1KB

MD5
22d30a038b3db6ef939bb05f697eb3d4

SHA1
7e76546c510fd6a2aab96592f4b1a5a40eca74bc

SHA256
1f9fe7037c44ba4fd44e15b8cfabe79265331d6ae146045fa15e2c02c6212c1a

SHA512
a3ca9dd6e973a1c5edacefc7b073ebe630a2737c79ccac88c85374e863aacdeb90f62fd97655161dead484137c956ff40461a492842562cd847800114dc4afbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lockscr.sys

Filesize
13KB

MD5
fa01dab3229ca22caaa15a245c488f6f

SHA1
9b8aa9041529aa5c0b1f2fbc0ad73744d95b5ceb

SHA256
e1363e7b917c96a03c74e6e7dfcc1e374b64ef86005e9f7d624cf77b785a85ba

SHA512
5fec23eb388730639cec22b8b2c9a46577e4548e12a7747e0abe32ea4c86d8b72f1f455c7210729d6ffb60880e7243d434f56a3b0f91fa58f32b7a4246d35a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

Filesize
9KB

MD5
14de12f4f6f9f532deb3e123fb57a2a0

SHA1
96f2489c2b2da6df3fdfa6e44c1e17dd9f060760

SHA256
34cb11668b94da5bc94dd796cb9b30dc4fcc9bca6d54c0fa9a2bb2380931f8bc

SHA512
4836d89f3f306a8dc6d39ad1f728cad44a94615ccc52654d8edfb5dabcd4d66bd6c31e2b45b9629375d835155c043779f28342f1d77055a1c4274aabedc02854

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

Filesize
5.5MB

MD5
8c02162cc76462832b086b5e70f7d444

SHA1
79c1531687173aaf211a4f8c72563d040d4a7120

SHA256
9f0bc46baa958836aa3fb26f282461bb4a9d016f8411a4ff552d882276f23929

SHA512
2d18db42acc2794d5db73a51eaed2de7ba56d54da044120216678b0aad7e380fa2625e580efd80fe3621e2200c99feb45b5f0a7a6787597e9c4a53af605c4767

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

Filesize
9.4MB

MD5
24baa81aeb934d82b7ad61e64794c7ed

SHA1
a3b139e76050b726422aa66bf11b30ce0888690c

SHA256
671b46750e720a5d3f8c07c23bf2c405f19681263008080995c42810883512ca

SHA512
b627558fde4d18f276f92f24030c6cf5eb1158b060e327565be56639862934c6413de8285aa97c046e3f21d9532531d20d89ef2f885d5951640e48d851777541

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

Filesize
2KB

MD5
70221c448bbe018a01530ec3d7d28dff

SHA1
e3b608ec5fa0f451e1521a714e5ea04610c93a09

SHA256
4804d405775fb5449438aa3d99a273b0f13f860850a9ca5dff0787d6cc861720

SHA512
9cd68d70ac17dfe4fdbce47aef62342890ac6b41b23e6b844d17f0d4313bd4ebfc0801d39e64731b7f5e0bbc27674d89b0ce5657c887bb3554e1e99f1dfce15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

Filesize
381KB

MD5
381f1b7d8f7da904827980dae02f77a9

SHA1
81d4d5724533b26391301be2b462f580395d5485

SHA256
f14dab0b9f18aced330729b4a772e6b139817be01783b97b92e9af5fc26615d2

SHA512
44a5eee558c727c9c07301dc0190a00807d1749f83c57f76c4f8cdde4bbdf4b44bb1086cc2fcb7aff0a73949ae7aaa17d33d9cd3b0a70c4f51b724812e1bd6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

Filesize
1.6MB

MD5
3e6c2703e1c8b6b2b3512aff48099462

SHA1
b17a7f9cce16540b1f0e3dceae9dc7e8e855cb1b

SHA256
616a0047b5f28a071fc26dd9b0fd90d5110c77a3635565cebc24b6362d8c9844

SHA512
70d0c5cb8542ca0600d38aee9030ea3dd9b0951a7d96ac1b8f1af9e71c5357c33f433913ef9d2e3254a9ac95e5678764ab22184fbcec998a9bbb8d75731c9dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

Filesize
261KB

MD5
026d12b240e081794c730c1ed24a6f33

SHA1
bb6c0544ecc2c8db68b23b8e4feab5b3261b4666

SHA256
d639adb51c6e3ee8c249d11eb8db606ba2aa37d4f12f80f2b9685d8f560984bf

SHA512
5b88ee5c7cee966867eec31ad468aa19353a2a2b1a84995ac1bedeaf5e60b1b015f73fcd35644c4365cf8f1981b3de057483838b7deaad5599f9c2a24f60d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

Filesize
366KB

MD5
2943b9910b1c7cc04024888502885256

SHA1
e2ac697a558fa85ff4c9e2bb114138870a80f146

SHA256
78115050f4e99372fc10b19a14af60e623ddfda224c8e96340cb5d8166507e2b

SHA512
8d9d0d60622b958ab0f7c1f1d050fb53ba11cf19aa513fde9f7b7772fb6949b3e50907ed519fdc89e2bdf0ffb33ff084094af56abd3f9d1d2faef9d27990fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

Filesize
861KB

MD5
74a8ebf5d8e08e284d734fe5feebd67d

SHA1
87fb627c6e63eb41e26f389b38d525ccf0c11590

SHA256
1a9632b9e061b56017d2eb8d15c20e60a9518b4de5faa0399eaba0a17c10045d

SHA512
230f84f3fdb335a6044e6a83154de27e853b66ce6b8963b5f1991c462d69cc702a5cf7ee20717ec9f6e688398579fe18102a48f418b74333f476255b1cdbf8b9

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1504-140-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/3128-86-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3128-135-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/3732-157-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/3732-162-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/3732-152-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/3732-154-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/4420-151-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/4420-153-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/4420-161-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/4420-167-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/4420-175-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/4420-180-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/4420-185-0x0000000000400000-0x0000000000E14000-memory.dmp

Filesize
10.1MB

Download
memory/4724-138-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download