Malware Analysis Report

2025-05-05 22:37

Sample ID 250420-g72jcsv1hv
Target JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5
SHA256 16cac4973e4cd7c600369a024e3336f4eebc89a4174152ce61e6b95dbcc29931
Tags
rms discovery rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16cac4973e4cd7c600369a024e3336f4eebc89a4174152ce61e6b95dbcc29931

Threat Level: Known bad

The file JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5 was found to be: Known bad.

Malicious Activity Summary

rms discovery rat trojan upx

RMS

Rms family

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-20 06:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-20 06:27

Reported

2025-04-20 06:30

Platform

win10v2004-20250314-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe"

Signatures

RMS

trojan rat rms

Rms family

rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\RWLN.dll C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\RWLN.dll C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Progra~1\Remote Manipulator System - Server\rversionlib.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\dsfVorbisEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\dsfTheoraEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\HookDrv.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\dsfOggMux.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\rversionlib.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\dsfTheoraEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\RWLN.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\RIPCServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\RIPCServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\PushSource.ax C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\2.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\dsfOggMux.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\RWLN.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\msvcr80.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\Microsoft.VC80.CRT.manifest C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\dsfVorbisEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\HookDrv.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\msvcr80.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\Microsoft.VC80.CRT.manifest C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\regt.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\regt.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\PushSource.ax C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\2.exe C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Token: 33 N/A C:\Progra~1\Remote Manipulator System - Server\2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3340 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3492 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3492 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3492 wrote to memory of 5496 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 3492 wrote to memory of 5496 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 3492 wrote to memory of 5496 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 3492 wrote to memory of 5872 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 3492 wrote to memory of 5872 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 3492 wrote to memory of 5872 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 3492 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 3492 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 3492 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 4436 wrote to memory of 4884 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 4436 wrote to memory of 4884 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 4436 wrote to memory of 4884 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 4436 wrote to memory of 60 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 4436 wrote to memory of 60 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 4436 wrote to memory of 60 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 3492 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\2.exe
PID 3492 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\2.exe
PID 3492 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\2.exe
PID 4884 wrote to memory of 1412 N/A C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 4884 wrote to memory of 1412 N/A C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 4884 wrote to memory of 1412 N/A C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~7CC1.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe""

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Progra~1\Remote Manipulator System - Server/regt.reg"

C:\Progra~1\Remote Manipulator System - Server\rutserv.exe

"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /silentinstall

C:\Progra~1\Remote Manipulator System - Server\rutserv.exe

"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /firewall

C:\Progra~1\Remote Manipulator System - Server\rutserv.exe

"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /start

C:\Progra~1\Remote Manipulator System - Server\rutserv.exe

"C:\Progra~1\Remote Manipulator System - Server\rutserv.exe"

C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe

"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe"

C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe

"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe" /tray

C:\Progra~1\Remote Manipulator System - Server\2.exe

"C:\Progra~1\Remote Manipulator System - Server\2.exe"

C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe

"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 server.tektonit.ru udp
RU 77.223.119.187:5655 server.tektonit.ru tcp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
RU 77.223.119.187:5655 server.tektonit.ru tcp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
RU 77.223.119.187:5655 server.tektonit.ru tcp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\~7CC1.bat

MD5 b52667d499d9dbed23dac069304b6840
SHA1 6dad39062092c7a0848461bd58705e78e1278523
SHA256 89c6308579a63fcbd5251295dd66aa04e5244f307e84baaff3442efab4dd9af0
SHA512 e7c4ecbe03b977052045c3974291390c1a66bf1b41e84418fea834d57bc4383575c449ddda3d6e207e6d1a3bfef285a3ffb8040a4a8dccd61f2315161e913bc4

C:\Users\Admin\AppData\Local\dsfOggMux.dll

MD5 7a41cd795b23af76c8b0bd308ba5e05d
SHA1 0d2d0446f1f8f805bf3582d48a1af52611511323
SHA256 2219a7fd3f0f476cab1ddfdbe1910f174611a77eda3a577d716466b8dc567227
SHA512 82d6b9419e66a8e2095e0e60603f0cd3948b752fc37ade8ff58d2483f164f3ade1463df1780d6fca98089d09c48e05e4dbdb4548d048e4f19f781b84d5ba42d1

C:\Users\Admin\AppData\Local\RWLN.dll

MD5 bef74ba9847cb190d4a3d04867776ccb
SHA1 43c5af859bfe1433be301f617dc5358d829a5a6e
SHA256 2fc28c943aa12fdf2414c3b094990bea80b9c6c8f3ab0bd4ea7bf5f128f10ff7
SHA512 f27351ffe6d80d4903d787ee6f737d83896b8089b82c40cb533a266178d26d736d084dca64fa13dff36be72c8b6eb255762eb88f0c00d2d3c2edea4670b57210

C:\Users\Admin\AppData\Local\rversionlib.dll

MD5 c666557b54f67145124ede6ac593cf6a
SHA1 67fcdb013314075fe26e2c9eaa23190a9590720f
SHA256 e02d4a45dd90b783501f6cb4ac279f8cece0048b7dcf58127e6bfc9c7297051f
SHA512 5c37ced671fb3516eb968573090d06a7c3ff687451e99bd624647e6c595656698ec64be47244bf5f31748129e437d20034632c6792827c1d9782a66567d20f37

C:\Users\Admin\AppData\Local\rutserv.exe

MD5 b27e7b4ec2e399afa25f00991947e0ff
SHA1 6a9426584a5aca376875f1dedc42ea1e711a3dec
SHA256 fd761d45d630b3ddb2e9b287485466afbb4774036d745918eee3bec063028eeb
SHA512 a578fe91e57216a276b32d56b0bd619e06e2c6671f71c092cc8904b1c6caadb97577a9ada0624c903dabd6fb444533b9f7c1adb9427df33ce638aacfad29cd05

C:\Users\Admin\AppData\Local\Russian.lg

MD5 449b3a734459150913b7b2eb59f51316
SHA1 48985f309b36af45473b5f381c8d91ee8a28290b
SHA256 1d5990207f504d183356913aceccbd1e3f8b55c4918a4ca19ab6e920a721ed5f
SHA512 f6745acf57235456604b5d05920f0db69898242626a2629dbcda7061eed6f94441d87a567fde25bdd89abf20c1dcf5cc34a222fbf1771aa1716722de264776ab

C:\Users\Admin\AppData\Local\RIPCServer.dll

MD5 2bfd175807671afefef2e01783fe23c1
SHA1 14ef7158aace0ff7680af001ea9e1f237e5c5759
SHA256 1f8477f058596a56c86a3427c4351bc03aff0ccea415b8a9f7d568add3ebc138
SHA512 d93ade22bd6e0ab9c9e682a2a91957b22e6b61fcef835136b88209da1c1d661befa7fbbaa420efd1e6a10efab7dd2d36235daa60efbc702992a2147329a4854d

C:\Users\Admin\AppData\Local\rfusclient.exe

MD5 bcb751e5c84a5a523d2de04764e237da
SHA1 d9dfd3b5f4f7231aa189686a05e538ba86d51855
SHA256 ac65d29206b2524f9a1cc618ccfc2a6749d5883001ca1d5023f46488b256195f
SHA512 71d9eccd6b1d7e2ea7676fd42a8748908c6239e16b7ab3f63b3c516f8e8d2be8eee90cb4b0dfb966b5edf179b14b033e85287bba0a2e4f66cb06a7d1c3e30854

C:\Users\Admin\AppData\Local\PushSource.ax

MD5 d7eb741be9c97a6d1063102f0e4ca44d
SHA1 bf8bdca7f56ed39fb96141ae9593dec497f4e2c8
SHA256 0914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7
SHA512 cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e

C:\Users\Admin\AppData\Local\Microsoft.VC80.CRT.manifest

MD5 d34b3da03c59f38a510eaa8ccc151ec7
SHA1 41b978588a9902f5e14b2b693973cb210ed900b2
SHA256 a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc
SHA512 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

C:\Users\Admin\AppData\Local\msvcr80.dll

MD5 548e8dc4550f0102dc844269897e08a8
SHA1 071fde0b108957cc05c357e68e420fbb6bb14099
SHA256 85b49c630b6d57bda300e10e9f99b39f7a8e94d85abe648a257a56e888b9f7d1
SHA512 7dbbfc3ebae13791ef88d157d9219d46bd5144689d2279c4d2bc5df8904de1bda32eac917b4dca2b9da1765b903949708edc7e538c950a264bee084a4f7862af

C:\Users\Admin\AppData\Local\dsfTheoraEncoder.dll

MD5 6e8e3aea0d24d51dfa0d31194ed63129
SHA1 bf1f37a18ce7c050b528ea5eb3f913de8f85600f
SHA256 94871b30d2eac92d01d7823f6b5fae749115394f79bf8e2e7abd489dc13a42f7
SHA512 147adaa6716cc0ca17d91675cd73d1e4c299282aefac4095536bb7fd2211004bafd6e398e04c933d266683b1e578d0e1f50143615ac9953eba99a3d55ab03a38

C:\Users\Admin\AppData\Local\regt.reg

MD5 880a4eeaec310d7d36e5f2a24eecfdd8
SHA1 24757146f770bf953063c76f1ea9127d1c321169
SHA256 3e0dba04f69ef2043a74b6dd8dfbc465025fdeb210782fa35dac523ffc84f025
SHA512 46403dc791352c32a0fabf7c52c879ae87e6a196e158d691d8e93d478403bf3aa4c25f6db491d6a94fc4359ab993c1b6a96989472731ee84598a640c3405a586

C:\Users\Admin\AppData\Local\dsfVorbisEncoder.dll

MD5 7432f13b92a542f16b0d08ea192ee1e6
SHA1 97d21b1c68ec3ad0ca6c567224df74eb63b6f72f
SHA256 b7a12d16fe97e8605b7a39336bbb8bf63465cb54107ad4a38996769c209434f7
SHA512 1b2d339f6df5fbfaf3e55656400598f6221cdaadfd5705536f8b447f4f68ab70ede3530e0791452487ed37aeb44a7a2799227cc398d71b539948724ba4a4e6d2

C:\Users\Admin\AppData\Local\2.exe

MD5 df191b0814c46f087f0c4c46a669d454
SHA1 3b89c9f51fa7696e2fcb2704b1277397d321dd1f
SHA256 064fba37b36fbe717607b5bfa7745c32a57fd71683e617480de8b5d2aa858717
SHA512 c1b468174b388d1585b98c38c207f57da31668e63192bd57828b97ba8e62b76a6444e5e190d59c12f15761228e947bf065d3bab91fc03d672cfc4f7938090959

C:\Users\Admin\AppData\Local\HookDrv.dll

MD5 bbd924baef9f49abd2abc06bff2df57a
SHA1 bac86077e9da898034af04a444de677c27248fcd
SHA256 02003c252982a21d3480a9d0b0f6eda5c70abed13147d960bad480df57edb981
SHA512 14de50ff848604602bd25d441dd308ffb9fafbf2fa87aeafc94e92dd563dad2ff4470654e5cf0e01e143b52fc92488d1e7ab4a803435c778cce1b054f43d3ca2

memory/5496-73-0x0000000000E00000-0x0000000000E5F000-memory.dmp

memory/5496-72-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/5496-74-0x0000000001010000-0x0000000001011000-memory.dmp

memory/5496-79-0x0000000000E00000-0x0000000000E5F000-memory.dmp

memory/5496-80-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/5872-85-0x0000000000B50000-0x0000000000BAF000-memory.dmp

memory/5872-86-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/5872-84-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/5872-87-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/5872-88-0x0000000000B50000-0x0000000000BAF000-memory.dmp

memory/3852-93-0x0000000000B40000-0x0000000000B9F000-memory.dmp

memory/3852-92-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/4436-97-0x00000000008F0000-0x000000000094F000-memory.dmp

memory/60-115-0x00000000008B0000-0x000000000090F000-memory.dmp

memory/3852-119-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/3852-118-0x0000000000B40000-0x0000000000B9F000-memory.dmp

memory/60-114-0x0000000000400000-0x000000000076B000-memory.dmp

memory/4588-123-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4884-113-0x0000000000AA0000-0x0000000000AFF000-memory.dmp

memory/4884-109-0x0000000000400000-0x000000000076B000-memory.dmp

memory/4436-127-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/4436-129-0x00000000008F0000-0x000000000094F000-memory.dmp

memory/4884-132-0x0000000000400000-0x000000000076B000-memory.dmp

memory/4884-134-0x0000000000AA0000-0x0000000000AFF000-memory.dmp

memory/60-136-0x00000000008B0000-0x000000000090F000-memory.dmp

memory/60-135-0x0000000000400000-0x000000000076B000-memory.dmp

memory/1412-133-0x0000000000820000-0x000000000087F000-memory.dmp

memory/1412-139-0x0000000000400000-0x000000000076B000-memory.dmp

memory/1412-140-0x0000000000820000-0x000000000087F000-memory.dmp

memory/4588-142-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3340-141-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/4588-149-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4436-144-0x00000000008F0000-0x000000000094F000-memory.dmp

memory/4436-143-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/4588-157-0x0000000000400000-0x0000000000410000-memory.dmp

memory/60-155-0x0000000000400000-0x000000000076B000-memory.dmp

memory/4588-165-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4588-173-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4588-181-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4588-189-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4436-191-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/4588-197-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-20 06:27

Reported

2025-04-20 06:30

Platform

win11-20250410-en

Max time kernel

120s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe"

Signatures

RMS

trojan rat rms

Rms family

rms

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\RWLN.dll C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\RWLN.dll C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Progra~1\Remote Manipulator System - Server\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\RIPCServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\PushSource.ax C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\RIPCServer.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\dsfTheoraEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\2.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\RWLN.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\rversionlib.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\Microsoft.VC80.CRT.manifest C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\dsfOggMux.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\dsfOggMux.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\2.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\RWLN.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\dsfVorbisEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\regt.reg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\HookDrv.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\rversionlib.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\Russian.lg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\PushSource.ax C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\Microsoft.VC80.CRT.manifest C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\dsfVorbisEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\dsfTheoraEncoder.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Progra~1\Remote Manipulator System - Server\msvcr80.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\msvcr80.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\regt.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Progra~1\Remote Manipulator System - Server\HookDrv.dll C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe N/A
Token: 33 N/A C:\Progra~1\Remote Manipulator System - Server\2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Progra~1\Remote Manipulator System - Server\2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 5420 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 5420 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 5420 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe C:\Windows\SysWOW64\cmd.exe
PID 5420 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5420 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5420 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5420 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5420 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5420 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5420 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5420 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5420 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5420 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5420 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5420 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
PID 5044 wrote to memory of 880 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 5044 wrote to memory of 880 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 5044 wrote to memory of 880 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 5044 wrote to memory of 544 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 5044 wrote to memory of 544 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 5044 wrote to memory of 544 N/A C:\Progra~1\Remote Manipulator System - Server\rutserv.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 5420 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\2.exe
PID 5420 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\2.exe
PID 5420 wrote to memory of 3408 N/A C:\Windows\SysWOW64\cmd.exe C:\Progra~1\Remote Manipulator System - Server\2.exe
PID 880 wrote to memory of 3452 N/A C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 880 wrote to memory of 3452 N/A C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
PID 880 wrote to memory of 3452 N/A C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~74E2.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe""

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Progra~1\Remote Manipulator System - Server/regt.reg"

C:\Progra~1\Remote Manipulator System - Server\rutserv.exe

"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /silentinstall

C:\Progra~1\Remote Manipulator System - Server\rutserv.exe

"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /firewall

C:\Progra~1\Remote Manipulator System - Server\rutserv.exe

"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /start

C:\Progra~1\Remote Manipulator System - Server\rutserv.exe

"C:\Progra~1\Remote Manipulator System - Server\rutserv.exe"

C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe

"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe"

C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe

"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe" /tray

C:\Progra~1\Remote Manipulator System - Server\2.exe

"C:\Progra~1\Remote Manipulator System - Server\2.exe"

C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe

"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 server.tektonit.ru udp
RU 77.223.119.187:5655 server.tektonit.ru tcp
US 8.8.8.8:53 axeline.ru udp
US 8.8.8.8:53 axeline.ru udp
RU 77.223.119.187:5655 server.tektonit.ru tcp
US 8.8.8.8:53 axeline.ru udp
RU 77.223.119.187:5655 server.tektonit.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\~74E2.bat

MD5 b52667d499d9dbed23dac069304b6840
SHA1 6dad39062092c7a0848461bd58705e78e1278523
SHA256 89c6308579a63fcbd5251295dd66aa04e5244f307e84baaff3442efab4dd9af0
SHA512 e7c4ecbe03b977052045c3974291390c1a66bf1b41e84418fea834d57bc4383575c449ddda3d6e207e6d1a3bfef285a3ffb8040a4a8dccd61f2315161e913bc4

C:\Users\Admin\AppData\Local\dsfOggMux.dll

MD5 7a41cd795b23af76c8b0bd308ba5e05d
SHA1 0d2d0446f1f8f805bf3582d48a1af52611511323
SHA256 2219a7fd3f0f476cab1ddfdbe1910f174611a77eda3a577d716466b8dc567227
SHA512 82d6b9419e66a8e2095e0e60603f0cd3948b752fc37ade8ff58d2483f164f3ade1463df1780d6fca98089d09c48e05e4dbdb4548d048e4f19f781b84d5ba42d1

C:\Users\Admin\AppData\Local\RWLN.dll

MD5 bef74ba9847cb190d4a3d04867776ccb
SHA1 43c5af859bfe1433be301f617dc5358d829a5a6e
SHA256 2fc28c943aa12fdf2414c3b094990bea80b9c6c8f3ab0bd4ea7bf5f128f10ff7
SHA512 f27351ffe6d80d4903d787ee6f737d83896b8089b82c40cb533a266178d26d736d084dca64fa13dff36be72c8b6eb255762eb88f0c00d2d3c2edea4670b57210

C:\Users\Admin\AppData\Local\rversionlib.dll

MD5 c666557b54f67145124ede6ac593cf6a
SHA1 67fcdb013314075fe26e2c9eaa23190a9590720f
SHA256 e02d4a45dd90b783501f6cb4ac279f8cece0048b7dcf58127e6bfc9c7297051f
SHA512 5c37ced671fb3516eb968573090d06a7c3ff687451e99bd624647e6c595656698ec64be47244bf5f31748129e437d20034632c6792827c1d9782a66567d20f37

C:\Users\Admin\AppData\Local\RIPCServer.dll

MD5 2bfd175807671afefef2e01783fe23c1
SHA1 14ef7158aace0ff7680af001ea9e1f237e5c5759
SHA256 1f8477f058596a56c86a3427c4351bc03aff0ccea415b8a9f7d568add3ebc138
SHA512 d93ade22bd6e0ab9c9e682a2a91957b22e6b61fcef835136b88209da1c1d661befa7fbbaa420efd1e6a10efab7dd2d36235daa60efbc702992a2147329a4854d

C:\Users\Admin\AppData\Local\Russian.lg

MD5 449b3a734459150913b7b2eb59f51316
SHA1 48985f309b36af45473b5f381c8d91ee8a28290b
SHA256 1d5990207f504d183356913aceccbd1e3f8b55c4918a4ca19ab6e920a721ed5f
SHA512 f6745acf57235456604b5d05920f0db69898242626a2629dbcda7061eed6f94441d87a567fde25bdd89abf20c1dcf5cc34a222fbf1771aa1716722de264776ab

C:\Users\Admin\AppData\Local\rutserv.exe

MD5 b27e7b4ec2e399afa25f00991947e0ff
SHA1 6a9426584a5aca376875f1dedc42ea1e711a3dec
SHA256 fd761d45d630b3ddb2e9b287485466afbb4774036d745918eee3bec063028eeb
SHA512 a578fe91e57216a276b32d56b0bd619e06e2c6671f71c092cc8904b1c6caadb97577a9ada0624c903dabd6fb444533b9f7c1adb9427df33ce638aacfad29cd05

C:\Users\Admin\AppData\Local\rfusclient.exe

MD5 bcb751e5c84a5a523d2de04764e237da
SHA1 d9dfd3b5f4f7231aa189686a05e538ba86d51855
SHA256 ac65d29206b2524f9a1cc618ccfc2a6749d5883001ca1d5023f46488b256195f
SHA512 71d9eccd6b1d7e2ea7676fd42a8748908c6239e16b7ab3f63b3c516f8e8d2be8eee90cb4b0dfb966b5edf179b14b033e85287bba0a2e4f66cb06a7d1c3e30854

C:\Users\Admin\AppData\Local\msvcr80.dll

MD5 548e8dc4550f0102dc844269897e08a8
SHA1 071fde0b108957cc05c357e68e420fbb6bb14099
SHA256 85b49c630b6d57bda300e10e9f99b39f7a8e94d85abe648a257a56e888b9f7d1
SHA512 7dbbfc3ebae13791ef88d157d9219d46bd5144689d2279c4d2bc5df8904de1bda32eac917b4dca2b9da1765b903949708edc7e538c950a264bee084a4f7862af

C:\Users\Admin\AppData\Local\PushSource.ax

MD5 d7eb741be9c97a6d1063102f0e4ca44d
SHA1 bf8bdca7f56ed39fb96141ae9593dec497f4e2c8
SHA256 0914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7
SHA512 cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e

C:\Users\Admin\AppData\Local\Microsoft.VC80.CRT.manifest

MD5 d34b3da03c59f38a510eaa8ccc151ec7
SHA1 41b978588a9902f5e14b2b693973cb210ed900b2
SHA256 a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc
SHA512 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

C:\Users\Admin\AppData\Local\HookDrv.dll

MD5 bbd924baef9f49abd2abc06bff2df57a
SHA1 bac86077e9da898034af04a444de677c27248fcd
SHA256 02003c252982a21d3480a9d0b0f6eda5c70abed13147d960bad480df57edb981
SHA512 14de50ff848604602bd25d441dd308ffb9fafbf2fa87aeafc94e92dd563dad2ff4470654e5cf0e01e143b52fc92488d1e7ab4a803435c778cce1b054f43d3ca2

C:\Users\Admin\AppData\Local\2.exe

MD5 df191b0814c46f087f0c4c46a669d454
SHA1 3b89c9f51fa7696e2fcb2704b1277397d321dd1f
SHA256 064fba37b36fbe717607b5bfa7745c32a57fd71683e617480de8b5d2aa858717
SHA512 c1b468174b388d1585b98c38c207f57da31668e63192bd57828b97ba8e62b76a6444e5e190d59c12f15761228e947bf065d3bab91fc03d672cfc4f7938090959

C:\Users\Admin\AppData\Local\regt.reg

MD5 880a4eeaec310d7d36e5f2a24eecfdd8
SHA1 24757146f770bf953063c76f1ea9127d1c321169
SHA256 3e0dba04f69ef2043a74b6dd8dfbc465025fdeb210782fa35dac523ffc84f025
SHA512 46403dc791352c32a0fabf7c52c879ae87e6a196e158d691d8e93d478403bf3aa4c25f6db491d6a94fc4359ab993c1b6a96989472731ee84598a640c3405a586

C:\Users\Admin\AppData\Local\dsfVorbisEncoder.dll

MD5 7432f13b92a542f16b0d08ea192ee1e6
SHA1 97d21b1c68ec3ad0ca6c567224df74eb63b6f72f
SHA256 b7a12d16fe97e8605b7a39336bbb8bf63465cb54107ad4a38996769c209434f7
SHA512 1b2d339f6df5fbfaf3e55656400598f6221cdaadfd5705536f8b447f4f68ab70ede3530e0791452487ed37aeb44a7a2799227cc398d71b539948724ba4a4e6d2

C:\Users\Admin\AppData\Local\dsfTheoraEncoder.dll

MD5 6e8e3aea0d24d51dfa0d31194ed63129
SHA1 bf1f37a18ce7c050b528ea5eb3f913de8f85600f
SHA256 94871b30d2eac92d01d7823f6b5fae749115394f79bf8e2e7abd489dc13a42f7
SHA512 147adaa6716cc0ca17d91675cd73d1e4c299282aefac4095536bb7fd2211004bafd6e398e04c933d266683b1e578d0e1f50143615ac9953eba99a3d55ab03a38

memory/4428-79-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/4428-78-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/908-83-0x0000000000A00000-0x0000000000A5F000-memory.dmp

memory/908-84-0x0000000002940000-0x0000000002941000-memory.dmp

memory/4428-77-0x0000000000E90000-0x0000000000EEF000-memory.dmp

memory/4428-75-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/908-86-0x0000000000A00000-0x0000000000A5F000-memory.dmp

memory/908-85-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/5012-90-0x0000000000C00000-0x0000000000C5F000-memory.dmp

memory/5044-94-0x0000000000C10000-0x0000000000C6F000-memory.dmp

memory/880-106-0x0000000000400000-0x000000000076B000-memory.dmp

memory/880-107-0x0000000000D00000-0x0000000000D5F000-memory.dmp

memory/5012-114-0x0000000000C00000-0x0000000000C5F000-memory.dmp

memory/5012-116-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/3408-120-0x0000000000400000-0x0000000000410000-memory.dmp

memory/544-115-0x0000000000400000-0x000000000076B000-memory.dmp

memory/544-111-0x0000000000BA0000-0x0000000000BFF000-memory.dmp

memory/5044-123-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/5044-124-0x0000000000C10000-0x0000000000C6F000-memory.dmp

memory/5044-125-0x0000000000C10000-0x0000000000C6F000-memory.dmp

memory/880-126-0x0000000000400000-0x000000000076B000-memory.dmp

memory/880-128-0x0000000000D00000-0x0000000000D5F000-memory.dmp

memory/544-133-0x0000000000BA0000-0x0000000000BFF000-memory.dmp

memory/880-132-0x0000000000D00000-0x0000000000D5F000-memory.dmp

memory/3452-131-0x0000000000BC0000-0x0000000000C1F000-memory.dmp

memory/3452-134-0x0000000000400000-0x000000000076B000-memory.dmp

memory/3452-136-0x0000000000BC0000-0x0000000000C1F000-memory.dmp

memory/544-137-0x0000000000400000-0x000000000076B000-memory.dmp

memory/3408-138-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3112-139-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/5044-140-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/3408-146-0x0000000000400000-0x0000000000410000-memory.dmp

memory/880-142-0x0000000000400000-0x000000000076B000-memory.dmp

memory/3408-154-0x0000000000400000-0x0000000000410000-memory.dmp

memory/544-152-0x0000000000400000-0x000000000076B000-memory.dmp

memory/3408-162-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3408-170-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3408-178-0x0000000000400000-0x0000000000410000-memory.dmp

memory/544-176-0x0000000000400000-0x000000000076B000-memory.dmp

memory/5044-172-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/3408-186-0x0000000000400000-0x0000000000410000-memory.dmp

memory/5044-188-0x0000000000400000-0x00000000007D2000-memory.dmp

memory/3408-194-0x0000000000400000-0x0000000000410000-memory.dmp