Analysis Overview
SHA256
16cac4973e4cd7c600369a024e3336f4eebc89a4174152ce61e6b95dbcc29931
Threat Level: Known bad
The file JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5 was found to be: Known bad.
Malicious Activity Summary
RMS
Rms family
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Drops file in System32 directory
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-20 06:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-20 06:27
Reported
2025-04-20 06:30
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
RMS
Rms family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\2.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\RWLN.dll | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RWLN.dll | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Progra~1\Remote Manipulator System - Server\rversionlib.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\rversionlib.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\RWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\RIPCServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\RIPCServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\2.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\RWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\regt.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\regt.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\2.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Token: 33 | N/A | C:\Progra~1\Remote Manipulator System - Server\2.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~7CC1.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe""
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Progra~1\Remote Manipulator System - Server/regt.reg"
C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /silentinstall
C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /firewall
C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /start
C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
"C:\Progra~1\Remote Manipulator System - Server\rutserv.exe"
C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe"
C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe" /tray
C:\Progra~1\Remote Manipulator System - Server\2.exe
"C:\Progra~1\Remote Manipulator System - Server\2.exe"
C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | server.tektonit.ru | udp |
| RU | 77.223.119.187:5655 | server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| RU | 77.223.119.187:5655 | server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| RU | 77.223.119.187:5655 | server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~7CC1.bat
| MD5 | b52667d499d9dbed23dac069304b6840 |
| SHA1 | 6dad39062092c7a0848461bd58705e78e1278523 |
| SHA256 | 89c6308579a63fcbd5251295dd66aa04e5244f307e84baaff3442efab4dd9af0 |
| SHA512 | e7c4ecbe03b977052045c3974291390c1a66bf1b41e84418fea834d57bc4383575c449ddda3d6e207e6d1a3bfef285a3ffb8040a4a8dccd61f2315161e913bc4 |
C:\Users\Admin\AppData\Local\dsfOggMux.dll
| MD5 | 7a41cd795b23af76c8b0bd308ba5e05d |
| SHA1 | 0d2d0446f1f8f805bf3582d48a1af52611511323 |
| SHA256 | 2219a7fd3f0f476cab1ddfdbe1910f174611a77eda3a577d716466b8dc567227 |
| SHA512 | 82d6b9419e66a8e2095e0e60603f0cd3948b752fc37ade8ff58d2483f164f3ade1463df1780d6fca98089d09c48e05e4dbdb4548d048e4f19f781b84d5ba42d1 |
C:\Users\Admin\AppData\Local\RWLN.dll
| MD5 | bef74ba9847cb190d4a3d04867776ccb |
| SHA1 | 43c5af859bfe1433be301f617dc5358d829a5a6e |
| SHA256 | 2fc28c943aa12fdf2414c3b094990bea80b9c6c8f3ab0bd4ea7bf5f128f10ff7 |
| SHA512 | f27351ffe6d80d4903d787ee6f737d83896b8089b82c40cb533a266178d26d736d084dca64fa13dff36be72c8b6eb255762eb88f0c00d2d3c2edea4670b57210 |
C:\Users\Admin\AppData\Local\rversionlib.dll
| MD5 | c666557b54f67145124ede6ac593cf6a |
| SHA1 | 67fcdb013314075fe26e2c9eaa23190a9590720f |
| SHA256 | e02d4a45dd90b783501f6cb4ac279f8cece0048b7dcf58127e6bfc9c7297051f |
| SHA512 | 5c37ced671fb3516eb968573090d06a7c3ff687451e99bd624647e6c595656698ec64be47244bf5f31748129e437d20034632c6792827c1d9782a66567d20f37 |
C:\Users\Admin\AppData\Local\rutserv.exe
| MD5 | b27e7b4ec2e399afa25f00991947e0ff |
| SHA1 | 6a9426584a5aca376875f1dedc42ea1e711a3dec |
| SHA256 | fd761d45d630b3ddb2e9b287485466afbb4774036d745918eee3bec063028eeb |
| SHA512 | a578fe91e57216a276b32d56b0bd619e06e2c6671f71c092cc8904b1c6caadb97577a9ada0624c903dabd6fb444533b9f7c1adb9427df33ce638aacfad29cd05 |
C:\Users\Admin\AppData\Local\Russian.lg
| MD5 | 449b3a734459150913b7b2eb59f51316 |
| SHA1 | 48985f309b36af45473b5f381c8d91ee8a28290b |
| SHA256 | 1d5990207f504d183356913aceccbd1e3f8b55c4918a4ca19ab6e920a721ed5f |
| SHA512 | f6745acf57235456604b5d05920f0db69898242626a2629dbcda7061eed6f94441d87a567fde25bdd89abf20c1dcf5cc34a222fbf1771aa1716722de264776ab |
C:\Users\Admin\AppData\Local\RIPCServer.dll
| MD5 | 2bfd175807671afefef2e01783fe23c1 |
| SHA1 | 14ef7158aace0ff7680af001ea9e1f237e5c5759 |
| SHA256 | 1f8477f058596a56c86a3427c4351bc03aff0ccea415b8a9f7d568add3ebc138 |
| SHA512 | d93ade22bd6e0ab9c9e682a2a91957b22e6b61fcef835136b88209da1c1d661befa7fbbaa420efd1e6a10efab7dd2d36235daa60efbc702992a2147329a4854d |
C:\Users\Admin\AppData\Local\rfusclient.exe
| MD5 | bcb751e5c84a5a523d2de04764e237da |
| SHA1 | d9dfd3b5f4f7231aa189686a05e538ba86d51855 |
| SHA256 | ac65d29206b2524f9a1cc618ccfc2a6749d5883001ca1d5023f46488b256195f |
| SHA512 | 71d9eccd6b1d7e2ea7676fd42a8748908c6239e16b7ab3f63b3c516f8e8d2be8eee90cb4b0dfb966b5edf179b14b033e85287bba0a2e4f66cb06a7d1c3e30854 |
C:\Users\Admin\AppData\Local\PushSource.ax
| MD5 | d7eb741be9c97a6d1063102f0e4ca44d |
| SHA1 | bf8bdca7f56ed39fb96141ae9593dec497f4e2c8 |
| SHA256 | 0914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7 |
| SHA512 | cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e |
C:\Users\Admin\AppData\Local\Microsoft.VC80.CRT.manifest
| MD5 | d34b3da03c59f38a510eaa8ccc151ec7 |
| SHA1 | 41b978588a9902f5e14b2b693973cb210ed900b2 |
| SHA256 | a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc |
| SHA512 | 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7 |
C:\Users\Admin\AppData\Local\msvcr80.dll
| MD5 | 548e8dc4550f0102dc844269897e08a8 |
| SHA1 | 071fde0b108957cc05c357e68e420fbb6bb14099 |
| SHA256 | 85b49c630b6d57bda300e10e9f99b39f7a8e94d85abe648a257a56e888b9f7d1 |
| SHA512 | 7dbbfc3ebae13791ef88d157d9219d46bd5144689d2279c4d2bc5df8904de1bda32eac917b4dca2b9da1765b903949708edc7e538c950a264bee084a4f7862af |
C:\Users\Admin\AppData\Local\dsfTheoraEncoder.dll
| MD5 | 6e8e3aea0d24d51dfa0d31194ed63129 |
| SHA1 | bf1f37a18ce7c050b528ea5eb3f913de8f85600f |
| SHA256 | 94871b30d2eac92d01d7823f6b5fae749115394f79bf8e2e7abd489dc13a42f7 |
| SHA512 | 147adaa6716cc0ca17d91675cd73d1e4c299282aefac4095536bb7fd2211004bafd6e398e04c933d266683b1e578d0e1f50143615ac9953eba99a3d55ab03a38 |
C:\Users\Admin\AppData\Local\regt.reg
| MD5 | 880a4eeaec310d7d36e5f2a24eecfdd8 |
| SHA1 | 24757146f770bf953063c76f1ea9127d1c321169 |
| SHA256 | 3e0dba04f69ef2043a74b6dd8dfbc465025fdeb210782fa35dac523ffc84f025 |
| SHA512 | 46403dc791352c32a0fabf7c52c879ae87e6a196e158d691d8e93d478403bf3aa4c25f6db491d6a94fc4359ab993c1b6a96989472731ee84598a640c3405a586 |
C:\Users\Admin\AppData\Local\dsfVorbisEncoder.dll
| MD5 | 7432f13b92a542f16b0d08ea192ee1e6 |
| SHA1 | 97d21b1c68ec3ad0ca6c567224df74eb63b6f72f |
| SHA256 | b7a12d16fe97e8605b7a39336bbb8bf63465cb54107ad4a38996769c209434f7 |
| SHA512 | 1b2d339f6df5fbfaf3e55656400598f6221cdaadfd5705536f8b447f4f68ab70ede3530e0791452487ed37aeb44a7a2799227cc398d71b539948724ba4a4e6d2 |
C:\Users\Admin\AppData\Local\2.exe
| MD5 | df191b0814c46f087f0c4c46a669d454 |
| SHA1 | 3b89c9f51fa7696e2fcb2704b1277397d321dd1f |
| SHA256 | 064fba37b36fbe717607b5bfa7745c32a57fd71683e617480de8b5d2aa858717 |
| SHA512 | c1b468174b388d1585b98c38c207f57da31668e63192bd57828b97ba8e62b76a6444e5e190d59c12f15761228e947bf065d3bab91fc03d672cfc4f7938090959 |
C:\Users\Admin\AppData\Local\HookDrv.dll
| MD5 | bbd924baef9f49abd2abc06bff2df57a |
| SHA1 | bac86077e9da898034af04a444de677c27248fcd |
| SHA256 | 02003c252982a21d3480a9d0b0f6eda5c70abed13147d960bad480df57edb981 |
| SHA512 | 14de50ff848604602bd25d441dd308ffb9fafbf2fa87aeafc94e92dd563dad2ff4470654e5cf0e01e143b52fc92488d1e7ab4a803435c778cce1b054f43d3ca2 |
memory/5496-73-0x0000000000E00000-0x0000000000E5F000-memory.dmp
memory/5496-72-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/5496-74-0x0000000001010000-0x0000000001011000-memory.dmp
memory/5496-79-0x0000000000E00000-0x0000000000E5F000-memory.dmp
memory/5496-80-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/5872-85-0x0000000000B50000-0x0000000000BAF000-memory.dmp
memory/5872-86-0x0000000000A40000-0x0000000000A41000-memory.dmp
memory/5872-84-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/5872-87-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/5872-88-0x0000000000B50000-0x0000000000BAF000-memory.dmp
memory/3852-93-0x0000000000B40000-0x0000000000B9F000-memory.dmp
memory/3852-92-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/4436-97-0x00000000008F0000-0x000000000094F000-memory.dmp
memory/60-115-0x00000000008B0000-0x000000000090F000-memory.dmp
memory/3852-119-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/3852-118-0x0000000000B40000-0x0000000000B9F000-memory.dmp
memory/60-114-0x0000000000400000-0x000000000076B000-memory.dmp
memory/4588-123-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4884-113-0x0000000000AA0000-0x0000000000AFF000-memory.dmp
memory/4884-109-0x0000000000400000-0x000000000076B000-memory.dmp
memory/4436-127-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/4436-129-0x00000000008F0000-0x000000000094F000-memory.dmp
memory/4884-132-0x0000000000400000-0x000000000076B000-memory.dmp
memory/4884-134-0x0000000000AA0000-0x0000000000AFF000-memory.dmp
memory/60-136-0x00000000008B0000-0x000000000090F000-memory.dmp
memory/60-135-0x0000000000400000-0x000000000076B000-memory.dmp
memory/1412-133-0x0000000000820000-0x000000000087F000-memory.dmp
memory/1412-139-0x0000000000400000-0x000000000076B000-memory.dmp
memory/1412-140-0x0000000000820000-0x000000000087F000-memory.dmp
memory/4588-142-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3340-141-0x0000000000400000-0x00000000007D3000-memory.dmp
memory/4588-149-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4436-144-0x00000000008F0000-0x000000000094F000-memory.dmp
memory/4436-143-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/4588-157-0x0000000000400000-0x0000000000410000-memory.dmp
memory/60-155-0x0000000000400000-0x000000000076B000-memory.dmp
memory/4588-165-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4588-173-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4588-181-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4588-189-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4436-191-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/4588-197-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-20 06:27
Reported
2025-04-20 06:30
Platform
win11-20250410-en
Max time kernel
120s
Max time network
147s
Command Line
Signatures
RMS
Rms family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\2.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\RWLN.dll | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RWLN.dll | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Progra~1\Remote Manipulator System - Server\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\RIPCServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\RIPCServer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\2.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\RWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\rversionlib.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\dsfOggMux.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\2.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\RWLN.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\regt.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\rversionlib.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\Russian.lg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\PushSource.ax | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\Microsoft.VC80.CRT.manifest | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\dsfVorbisEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\dsfTheoraEncoder.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Progra~1\Remote Manipulator System - Server\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\msvcr80.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\regt.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Progra~1\Remote Manipulator System - Server\HookDrv.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
| N/A | N/A | C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\rutserv.exe | N/A |
| Token: 33 | N/A | C:\Progra~1\Remote Manipulator System - Server\2.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Progra~1\Remote Manipulator System - Server\2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~74E2.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4d9612605cf4360dc97c6f317ddc1c5.exe""
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Progra~1\Remote Manipulator System - Server/regt.reg"
C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /silentinstall
C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /firewall
C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
"C:\Progra~1\Remote Manipulator System - Server/rutserv.exe" /start
C:\Progra~1\Remote Manipulator System - Server\rutserv.exe
"C:\Progra~1\Remote Manipulator System - Server\rutserv.exe"
C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe"
C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe" /tray
C:\Progra~1\Remote Manipulator System - Server\2.exe
"C:\Progra~1\Remote Manipulator System - Server\2.exe"
C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe
"C:\Progra~1\Remote Manipulator System - Server\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | server.tektonit.ru | udp |
| RU | 77.223.119.187:5655 | server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| RU | 77.223.119.187:5655 | server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | axeline.ru | udp |
| RU | 77.223.119.187:5655 | server.tektonit.ru | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\~74E2.bat
| MD5 | b52667d499d9dbed23dac069304b6840 |
| SHA1 | 6dad39062092c7a0848461bd58705e78e1278523 |
| SHA256 | 89c6308579a63fcbd5251295dd66aa04e5244f307e84baaff3442efab4dd9af0 |
| SHA512 | e7c4ecbe03b977052045c3974291390c1a66bf1b41e84418fea834d57bc4383575c449ddda3d6e207e6d1a3bfef285a3ffb8040a4a8dccd61f2315161e913bc4 |
C:\Users\Admin\AppData\Local\dsfOggMux.dll
| MD5 | 7a41cd795b23af76c8b0bd308ba5e05d |
| SHA1 | 0d2d0446f1f8f805bf3582d48a1af52611511323 |
| SHA256 | 2219a7fd3f0f476cab1ddfdbe1910f174611a77eda3a577d716466b8dc567227 |
| SHA512 | 82d6b9419e66a8e2095e0e60603f0cd3948b752fc37ade8ff58d2483f164f3ade1463df1780d6fca98089d09c48e05e4dbdb4548d048e4f19f781b84d5ba42d1 |
C:\Users\Admin\AppData\Local\RWLN.dll
| MD5 | bef74ba9847cb190d4a3d04867776ccb |
| SHA1 | 43c5af859bfe1433be301f617dc5358d829a5a6e |
| SHA256 | 2fc28c943aa12fdf2414c3b094990bea80b9c6c8f3ab0bd4ea7bf5f128f10ff7 |
| SHA512 | f27351ffe6d80d4903d787ee6f737d83896b8089b82c40cb533a266178d26d736d084dca64fa13dff36be72c8b6eb255762eb88f0c00d2d3c2edea4670b57210 |
C:\Users\Admin\AppData\Local\rversionlib.dll
| MD5 | c666557b54f67145124ede6ac593cf6a |
| SHA1 | 67fcdb013314075fe26e2c9eaa23190a9590720f |
| SHA256 | e02d4a45dd90b783501f6cb4ac279f8cece0048b7dcf58127e6bfc9c7297051f |
| SHA512 | 5c37ced671fb3516eb968573090d06a7c3ff687451e99bd624647e6c595656698ec64be47244bf5f31748129e437d20034632c6792827c1d9782a66567d20f37 |
C:\Users\Admin\AppData\Local\RIPCServer.dll
| MD5 | 2bfd175807671afefef2e01783fe23c1 |
| SHA1 | 14ef7158aace0ff7680af001ea9e1f237e5c5759 |
| SHA256 | 1f8477f058596a56c86a3427c4351bc03aff0ccea415b8a9f7d568add3ebc138 |
| SHA512 | d93ade22bd6e0ab9c9e682a2a91957b22e6b61fcef835136b88209da1c1d661befa7fbbaa420efd1e6a10efab7dd2d36235daa60efbc702992a2147329a4854d |
C:\Users\Admin\AppData\Local\Russian.lg
| MD5 | 449b3a734459150913b7b2eb59f51316 |
| SHA1 | 48985f309b36af45473b5f381c8d91ee8a28290b |
| SHA256 | 1d5990207f504d183356913aceccbd1e3f8b55c4918a4ca19ab6e920a721ed5f |
| SHA512 | f6745acf57235456604b5d05920f0db69898242626a2629dbcda7061eed6f94441d87a567fde25bdd89abf20c1dcf5cc34a222fbf1771aa1716722de264776ab |
C:\Users\Admin\AppData\Local\rutserv.exe
| MD5 | b27e7b4ec2e399afa25f00991947e0ff |
| SHA1 | 6a9426584a5aca376875f1dedc42ea1e711a3dec |
| SHA256 | fd761d45d630b3ddb2e9b287485466afbb4774036d745918eee3bec063028eeb |
| SHA512 | a578fe91e57216a276b32d56b0bd619e06e2c6671f71c092cc8904b1c6caadb97577a9ada0624c903dabd6fb444533b9f7c1adb9427df33ce638aacfad29cd05 |
C:\Users\Admin\AppData\Local\rfusclient.exe
| MD5 | bcb751e5c84a5a523d2de04764e237da |
| SHA1 | d9dfd3b5f4f7231aa189686a05e538ba86d51855 |
| SHA256 | ac65d29206b2524f9a1cc618ccfc2a6749d5883001ca1d5023f46488b256195f |
| SHA512 | 71d9eccd6b1d7e2ea7676fd42a8748908c6239e16b7ab3f63b3c516f8e8d2be8eee90cb4b0dfb966b5edf179b14b033e85287bba0a2e4f66cb06a7d1c3e30854 |
C:\Users\Admin\AppData\Local\msvcr80.dll
| MD5 | 548e8dc4550f0102dc844269897e08a8 |
| SHA1 | 071fde0b108957cc05c357e68e420fbb6bb14099 |
| SHA256 | 85b49c630b6d57bda300e10e9f99b39f7a8e94d85abe648a257a56e888b9f7d1 |
| SHA512 | 7dbbfc3ebae13791ef88d157d9219d46bd5144689d2279c4d2bc5df8904de1bda32eac917b4dca2b9da1765b903949708edc7e538c950a264bee084a4f7862af |
C:\Users\Admin\AppData\Local\PushSource.ax
| MD5 | d7eb741be9c97a6d1063102f0e4ca44d |
| SHA1 | bf8bdca7f56ed39fb96141ae9593dec497f4e2c8 |
| SHA256 | 0914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7 |
| SHA512 | cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e |
C:\Users\Admin\AppData\Local\Microsoft.VC80.CRT.manifest
| MD5 | d34b3da03c59f38a510eaa8ccc151ec7 |
| SHA1 | 41b978588a9902f5e14b2b693973cb210ed900b2 |
| SHA256 | a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc |
| SHA512 | 231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7 |
C:\Users\Admin\AppData\Local\HookDrv.dll
| MD5 | bbd924baef9f49abd2abc06bff2df57a |
| SHA1 | bac86077e9da898034af04a444de677c27248fcd |
| SHA256 | 02003c252982a21d3480a9d0b0f6eda5c70abed13147d960bad480df57edb981 |
| SHA512 | 14de50ff848604602bd25d441dd308ffb9fafbf2fa87aeafc94e92dd563dad2ff4470654e5cf0e01e143b52fc92488d1e7ab4a803435c778cce1b054f43d3ca2 |
C:\Users\Admin\AppData\Local\2.exe
| MD5 | df191b0814c46f087f0c4c46a669d454 |
| SHA1 | 3b89c9f51fa7696e2fcb2704b1277397d321dd1f |
| SHA256 | 064fba37b36fbe717607b5bfa7745c32a57fd71683e617480de8b5d2aa858717 |
| SHA512 | c1b468174b388d1585b98c38c207f57da31668e63192bd57828b97ba8e62b76a6444e5e190d59c12f15761228e947bf065d3bab91fc03d672cfc4f7938090959 |
C:\Users\Admin\AppData\Local\regt.reg
| MD5 | 880a4eeaec310d7d36e5f2a24eecfdd8 |
| SHA1 | 24757146f770bf953063c76f1ea9127d1c321169 |
| SHA256 | 3e0dba04f69ef2043a74b6dd8dfbc465025fdeb210782fa35dac523ffc84f025 |
| SHA512 | 46403dc791352c32a0fabf7c52c879ae87e6a196e158d691d8e93d478403bf3aa4c25f6db491d6a94fc4359ab993c1b6a96989472731ee84598a640c3405a586 |
C:\Users\Admin\AppData\Local\dsfVorbisEncoder.dll
| MD5 | 7432f13b92a542f16b0d08ea192ee1e6 |
| SHA1 | 97d21b1c68ec3ad0ca6c567224df74eb63b6f72f |
| SHA256 | b7a12d16fe97e8605b7a39336bbb8bf63465cb54107ad4a38996769c209434f7 |
| SHA512 | 1b2d339f6df5fbfaf3e55656400598f6221cdaadfd5705536f8b447f4f68ab70ede3530e0791452487ed37aeb44a7a2799227cc398d71b539948724ba4a4e6d2 |
C:\Users\Admin\AppData\Local\dsfTheoraEncoder.dll
| MD5 | 6e8e3aea0d24d51dfa0d31194ed63129 |
| SHA1 | bf1f37a18ce7c050b528ea5eb3f913de8f85600f |
| SHA256 | 94871b30d2eac92d01d7823f6b5fae749115394f79bf8e2e7abd489dc13a42f7 |
| SHA512 | 147adaa6716cc0ca17d91675cd73d1e4c299282aefac4095536bb7fd2211004bafd6e398e04c933d266683b1e578d0e1f50143615ac9953eba99a3d55ab03a38 |
memory/4428-79-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/4428-78-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/908-83-0x0000000000A00000-0x0000000000A5F000-memory.dmp
memory/908-84-0x0000000002940000-0x0000000002941000-memory.dmp
memory/4428-77-0x0000000000E90000-0x0000000000EEF000-memory.dmp
memory/4428-75-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/908-86-0x0000000000A00000-0x0000000000A5F000-memory.dmp
memory/908-85-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/5012-90-0x0000000000C00000-0x0000000000C5F000-memory.dmp
memory/5044-94-0x0000000000C10000-0x0000000000C6F000-memory.dmp
memory/880-106-0x0000000000400000-0x000000000076B000-memory.dmp
memory/880-107-0x0000000000D00000-0x0000000000D5F000-memory.dmp
memory/5012-114-0x0000000000C00000-0x0000000000C5F000-memory.dmp
memory/5012-116-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/3408-120-0x0000000000400000-0x0000000000410000-memory.dmp
memory/544-115-0x0000000000400000-0x000000000076B000-memory.dmp
memory/544-111-0x0000000000BA0000-0x0000000000BFF000-memory.dmp
memory/5044-123-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/5044-124-0x0000000000C10000-0x0000000000C6F000-memory.dmp
memory/5044-125-0x0000000000C10000-0x0000000000C6F000-memory.dmp
memory/880-126-0x0000000000400000-0x000000000076B000-memory.dmp
memory/880-128-0x0000000000D00000-0x0000000000D5F000-memory.dmp
memory/544-133-0x0000000000BA0000-0x0000000000BFF000-memory.dmp
memory/880-132-0x0000000000D00000-0x0000000000D5F000-memory.dmp
memory/3452-131-0x0000000000BC0000-0x0000000000C1F000-memory.dmp
memory/3452-134-0x0000000000400000-0x000000000076B000-memory.dmp
memory/3452-136-0x0000000000BC0000-0x0000000000C1F000-memory.dmp
memory/544-137-0x0000000000400000-0x000000000076B000-memory.dmp
memory/3408-138-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3112-139-0x0000000000400000-0x00000000007D3000-memory.dmp
memory/5044-140-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/3408-146-0x0000000000400000-0x0000000000410000-memory.dmp
memory/880-142-0x0000000000400000-0x000000000076B000-memory.dmp
memory/3408-154-0x0000000000400000-0x0000000000410000-memory.dmp
memory/544-152-0x0000000000400000-0x000000000076B000-memory.dmp
memory/3408-162-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3408-170-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3408-178-0x0000000000400000-0x0000000000410000-memory.dmp
memory/544-176-0x0000000000400000-0x000000000076B000-memory.dmp
memory/5044-172-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/3408-186-0x0000000000400000-0x0000000000410000-memory.dmp
memory/5044-188-0x0000000000400000-0x00000000007D2000-memory.dmp
memory/3408-194-0x0000000000400000-0x0000000000410000-memory.dmp