b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18

Analysis

max time kernel
148s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe
Size

17.2MB
MD5

850d8d031e7ef7aff148df081191570b
SHA1

38f7c2796aee9c9c09a67e8c4c99a02d2ec1b346
SHA256

b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
SHA512

84bbad6cd5d1d754da3bc7713e660061d08b2bd799599b554ed066dc76d9e008dd5a1f3e0dfe747612942d072d8c744c5ef749fd1bbf2ea4faf2f8f31bed72bd

Score

8^/10

discovery

Malware Config

Signatures

Blacklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

14 3260 msiexec.exe
16 3260 msiexec.exe
18 3260 msiexec.exe
Executes dropped EXE 8 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

2152 rfusclient.exe
3824 rutserv.exe
2568 rutserv.exe
3460 rutserv.exe
2584 rutserv.exe
3772 rfusclient.exe
812 rfusclient.exe
1124 rfusclient.exe

flow	pid	process
14	3260	msiexec.exe
16	3260	msiexec.exe
18	3260	msiexec.exe

pid	process
2152	rfusclient.exe
3824	rutserv.exe
2568	rutserv.exe
3460	rutserv.exe
2584	rutserv.exe
3772	rfusclient.exe
812	rfusclient.exe
1124	rfusclient.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rfusclient.exerfusclient.exerfusclient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Loads dropped DLL 9 IoCs

Processes:

MsiExec.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid process

4064 MsiExec.exe
3824 rutserv.exe
3824 rutserv.exe
2568 rutserv.exe
2568 rutserv.exe
3460 rutserv.exe
3460 rutserv.exe
2584 rutserv.exe
2584 rutserv.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4064	MsiExec.exe
3824	rutserv.exe
3824	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

JavaScript code in executable 5 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll	js
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll	js
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll	js
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll	js
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll	js

Drops file in System32 directory 10 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe

Drops file in Program Files directory 72 IoCs

Processes:

msiexec.exerutserv.exe

description	ioc	process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows10\lockscr.cat	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows10\lockscr.sys	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.cat	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows10\lockscr.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2020-11.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.sys	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.cat	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\drvinstaller32.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\rppd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2020-11.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.cat	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.sys	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f74554a.msi	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\f74554d.msi	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f74554a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E5803A4B-5A4B-44F6-A759-882FB6AD7982}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A5A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\ARPPRODUCTICON.exe	msiexec.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

msiexec.exerutserv.exerutserv.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe

Modifies registry class 26 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RMS_{F5CA539A-8D3B-443A-B621-7618B1CB0701}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net\2 = "C:\\ProgramData\\Remote Manipulator System\\msi\\69110_{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\AuthorizedLUAApp = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\PackageName = "host.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RMS_{F5CA539A-8D3B-443A-B621-7618B1CB0701}\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\B4A3085EB4A56F447A9588F26BDA9728	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Language = "1049"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\ProductIcon = "C:\\Windows\\Installer\\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728\monitor_driver	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\PackageCode = "B39B0F2EBB537BF46A58ECBDE554B477"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Version = "117436076"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Assignment = "1"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rutserv.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007f000000010000000c000000300a06082b060105050703017e00000001000000080000000040d0d1b0ffd40103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e00000001000000080000000040d0d1b0ffd4017f000000010000000c000000300a06082b060105050703010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
3980	SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe
3980	SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe
3980	SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe
3980	SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
3772	rfusclient.exe
3772	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

1124 rfusclient.exe

pid	process
1124	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 112 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	940	msiexec.exe
Token: SeSecurityPrivilege	3260	msiexec.exe
Token: SeCreateTokenPrivilege	940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	940	msiexec.exe
Token: SeLockMemoryPrivilege	940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	940	msiexec.exe
Token: SeMachineAccountPrivilege	940	msiexec.exe
Token: SeTcbPrivilege	940	msiexec.exe
Token: SeSecurityPrivilege	940	msiexec.exe
Token: SeTakeOwnershipPrivilege	940	msiexec.exe
Token: SeLoadDriverPrivilege	940	msiexec.exe
Token: SeSystemProfilePrivilege	940	msiexec.exe
Token: SeSystemtimePrivilege	940	msiexec.exe
Token: SeProfSingleProcessPrivilege	940	msiexec.exe
Token: SeIncBasePriorityPrivilege	940	msiexec.exe
Token: SeCreatePagefilePrivilege	940	msiexec.exe
Token: SeCreatePermanentPrivilege	940	msiexec.exe
Token: SeBackupPrivilege	940	msiexec.exe
Token: SeRestorePrivilege	940	msiexec.exe
Token: SeShutdownPrivilege	940	msiexec.exe
Token: SeDebugPrivilege	940	msiexec.exe
Token: SeAuditPrivilege	940	msiexec.exe
Token: SeSystemEnvironmentPrivilege	940	msiexec.exe
Token: SeChangeNotifyPrivilege	940	msiexec.exe
Token: SeRemoteShutdownPrivilege	940	msiexec.exe
Token: SeUndockPrivilege	940	msiexec.exe
Token: SeSyncAgentPrivilege	940	msiexec.exe
Token: SeEnableDelegationPrivilege	940	msiexec.exe
Token: SeManageVolumePrivilege	940	msiexec.exe
Token: SeImpersonatePrivilege	940	msiexec.exe
Token: SeCreateGlobalPrivilege	940	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe
Token: SeRestorePrivilege	3260	msiexec.exe
Token: SeTakeOwnershipPrivilege	3260	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rfusclient.exe

pid process

812 rfusclient.exe
812 rfusclient.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

rfusclient.exe

pid process

812 rfusclient.exe
812 rfusclient.exe

pid	process
812	rfusclient.exe
812	rfusclient.exe

pid	process
812	rfusclient.exe
812	rfusclient.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid	process
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
3824	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
2568	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
3460	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe
2584	rutserv.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exemsiexec.exerutserv.exerfusclient.exe

description	pid	process	target process
PID 3980 wrote to memory of 940	3980	SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe	msiexec.exe
PID 3980 wrote to memory of 940	3980	SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe	msiexec.exe
PID 3980 wrote to memory of 940	3980	SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe	msiexec.exe
PID 3260 wrote to memory of 4064	3260	msiexec.exe	MsiExec.exe
PID 3260 wrote to memory of 4064	3260	msiexec.exe	MsiExec.exe
PID 3260 wrote to memory of 4064	3260	msiexec.exe	MsiExec.exe
PID 3260 wrote to memory of 2152	3260	msiexec.exe	rfusclient.exe
PID 3260 wrote to memory of 2152	3260	msiexec.exe	rfusclient.exe
PID 3260 wrote to memory of 2152	3260	msiexec.exe	rfusclient.exe
PID 3260 wrote to memory of 3824	3260	msiexec.exe	rutserv.exe
PID 3260 wrote to memory of 3824	3260	msiexec.exe	rutserv.exe
PID 3260 wrote to memory of 3824	3260	msiexec.exe	rutserv.exe
PID 3260 wrote to memory of 2568	3260	msiexec.exe	rutserv.exe
PID 3260 wrote to memory of 2568	3260	msiexec.exe	rutserv.exe
PID 3260 wrote to memory of 2568	3260	msiexec.exe	rutserv.exe
PID 3260 wrote to memory of 3460	3260	msiexec.exe	rutserv.exe
PID 3260 wrote to memory of 3460	3260	msiexec.exe	rutserv.exe
PID 3260 wrote to memory of 3460	3260	msiexec.exe	rutserv.exe
PID 2584 wrote to memory of 3772	2584	rutserv.exe	rfusclient.exe
PID 2584 wrote to memory of 3772	2584	rutserv.exe	rfusclient.exe
PID 2584 wrote to memory of 3772	2584	rutserv.exe	rfusclient.exe
PID 2584 wrote to memory of 812	2584	rutserv.exe	rfusclient.exe
PID 2584 wrote to memory of 812	2584	rutserv.exe	rfusclient.exe
PID 2584 wrote to memory of 812	2584	rutserv.exe	rfusclient.exe
PID 3772 wrote to memory of 1124	3772	rfusclient.exe	rfusclient.exe
PID 3772 wrote to memory of 1124	3772	rfusclient.exe	rfusclient.exe
PID 3772 wrote to memory of 1124	3772	rfusclient.exe	rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.850d8d031e7ef7af.27396.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RMS_{F5CA539A-8D3B-443A-B621-7618B1CB0701}\host.msi" /qn
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0C0ECFFE3D6F75528D618EBB857F449C
2⤵
- Loads dropped DLL
PID:4064

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\RMS_{F5CA539A-8D3B-443A-B621-7618B1CB0701}\host.msi"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2152

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: SetClipboardViewer
PID:1124

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:812

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\English.lg
MD5
246286feb0ed55eaf4251e256d2fe47e

SHA1
bc76b013918e4c1bd6dff44708a760496d8c717c

SHA256
64c70065830cc623be55c73a940aa3da57c134ee459afbd983ff17960dc57c27

SHA512
900e670259fb3b5762c0242236ce86fcdd04300407fc4d79959edfed99bbec58b4e10048a2b9ef54e709d00717870bf09c7b5fb2f5fa3cfe844682d2bb36f12f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg
MD5
55a0b95a1d1b7e309f2c22af82a07cc0

SHA1
521c41e185e5b5e73cfc4e1b18646dc4ed171942

SHA256
704a1a83d11c21717c17e6a7eb264d94a98d45a7c1aba8ebb82fafc65f4f199d

SHA512
38e3a8392f84cd31b9eb12ce4fa7ed04db29f4fe4de95e52f18cdc6e7c74a0b2673d15ab40802bf289ed3a1e83526827b012ceddbb309f40c5302547ce39f5f9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll
MD5
1ea62293ac757a0c2b64e632f30db636

SHA1
8c8ac6f8f28f432a514c3a43ea50c90daf66bfba

SHA256
970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df

SHA512
857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll
MD5
89770647609ac26c1bbd9cf6ed50954e

SHA1
349eed120070bab7e96272697b39e786423ac1d3

SHA256
7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4

SHA512
a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll
MD5
d29f7070ee379544aeb19913621c88e6

SHA1
499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be

SHA256
654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf

SHA512
4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll
MD5
7a9eeac3ceaf7f95f44eb5c57b4db2e3

SHA1
be1048c254aa3114358f76d08c55667c4bf2d382

SHA256
b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88

SHA512
b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll
MD5
5308b9945e348fbe3a480be06885434c

SHA1
5c3cb39686cca3e9586e4b405fc8e1853caaf8ff

SHA256
9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a

SHA512
4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

Download Submit
C:\ProgramData\Remote Manipulator System\install.log
MD5
bc9a6b680613264032bbcfe439267103

SHA1
2765591a57744bbdef3510aab4713007e6862754

SHA256
4993396881c484314a845062faa613aa673f47290353c735d02765dfd15764d9

SHA512
7def8ca4f78b43f0bad5af959cc72b942d665cbe75c5783d17a5604a0980555291ba65ed815a6d53d65cadc392b8f65e9375477365eb2d9ed00522ff90fefad8

Download Submit
C:\ProgramData\Remote Manipulator System\install.log
MD5
95a303db6867dbb8281e3f27eba576e4

SHA1
131a1daaeccd135014f9d243a50fac8e0ce73a32

SHA256
e5e531fb80d40e19dafbfbc990fa67370cdeba5a1c65dcde9548c3857022dc0a

SHA512
c539e143196551ee28e1b518dc3ca26956d232c9f5bc56d8dbdb8e5382dc1948010606351981c4bc22825fdee8f3859971535f87269cbe00792db616b9d88905

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS_{F5CA539A-8D3B-443A-B621-7618B1CB0701}\host.msi
MD5
446ac56b1ad66ad6b89f74a11d760a10

SHA1
eaf117562c436cdd8ed445533f7f732c679fd6e7

SHA256
fac5d11d3fba654e3b650238738b27b5efd25f2dbb08621ec35fc2e7a4f01076

SHA512
1b6d36a81236be19772720bbf8572ead04da2984446972af7d2e4ca4a4a673b0d71e29db4dc6b665f6e325cb81c4f70c71140f096a578aa256ef214d8b81d686

Download Submit
C:\Windows\Installer\MSI5A5A.tmp
MD5
52185b209cfdb02d88b4a40a4bdf0911

SHA1
aa35fedfeefbee93bcca5a30feed8d240e2d1c95

SHA256
756543551f27e9450dcf0ffdd10cd44af6fd0e8dbca037dee5b575683d5a9492

SHA512
8493e1996b6038bcb49fbce539c8ec8d6b8f86cf5aff4dc9870f66d77f179ae06e0539e06046a03a64a3e29c6b3693b83bf4c5a3d7dae2f989d1e8320d963cb3

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\Windows\Installer\MSI5A5A.tmp
MD5
52185b209cfdb02d88b4a40a4bdf0911

SHA1
aa35fedfeefbee93bcca5a30feed8d240e2d1c95

SHA256
756543551f27e9450dcf0ffdd10cd44af6fd0e8dbca037dee5b575683d5a9492

SHA512
8493e1996b6038bcb49fbce539c8ec8d6b8f86cf5aff4dc9870f66d77f179ae06e0539e06046a03a64a3e29c6b3693b83bf4c5a3d7dae2f989d1e8320d963cb3

Download Submit
memory/812-1243-0x0000000000000000-mapping.dmp

Download
memory/940-4-0x0000000000000000-mapping.dmp

Download
memory/1124-1248-0x0000000000000000-mapping.dmp

Download
memory/2152-9-0x0000000000000000-mapping.dmp

Download
memory/2568-427-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/2568-626-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2568-676-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2568-579-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2568-471-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2568-464-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2568-428-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2568-426-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2568-422-0x0000000000000000-mapping.dmp

Download
memory/2584-890-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/2584-891-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2584-1222-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2584-1223-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/2584-1234-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/2584-1221-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/2584-894-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/2584-892-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/3460-874-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/3460-831-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/3460-832-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/3460-826-0x0000000000000000-mapping.dmp

Download
memory/3460-883-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/3460-855-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/3460-841-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/3460-839-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/3460-830-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/3772-1247-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/3772-1246-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/3772-1242-0x0000000000000000-mapping.dmp

Download
memory/3824-358-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3824-19-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3824-360-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3824-418-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3824-11-0x0000000000000000-mapping.dmp

Download
memory/3824-17-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3824-18-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3824-419-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3824-420-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3824-120-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/3980-2-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3980-3-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3980-0-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3980-1-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4064-6-0x0000000000000000-mapping.dmp

Download