Analysis Overview
SHA256
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
Threat Level: Known bad
The file tmp/fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe was found to be: Known bad.
Malicious Activity Summary
RMS
Sets file execution options in registry
Blocklisted process makes network request
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Modifies powershell logging option
Checks installed software on the system
Modifies WinLogon
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: SetClipboardViewer
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-28 17:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-28 17:00
Reported
2021-12-28 17:02
Platform
win7-en-20211208
Max time kernel
143s
Max time network
142s
Command Line
Signatures
RMS
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Sets file execution options in registry
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
Modifies powershell logging option
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\English.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\f76f73a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFA8F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76f73e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76f73c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFC25.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76f73a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76f73c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ywmv_yex.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES530.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC510.tmp"
C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F8B60EFCC21853C0C6C4D7B689851286
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msupdate.info | udp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | msupdate.info | udp |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| LT | 5.133.65.53:80 | msupdate.info | tcp |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:5650 | tcp | |
| RU | 77.247.243.43:5655 | tcp | |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| RU | 77.247.243.43:5655 | tcp |
Files
memory/1724-56-0x00000000021B0000-0x00000000021B2000-memory.dmp
memory/1724-55-0x000007FEF2F10000-0x000007FEF3FA6000-memory.dmp
memory/1724-57-0x000007FEF23B0000-0x000007FEF2F0D000-memory.dmp
memory/1372-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ywmv_yex.cmdline
| MD5 | b3c2b8f2b705a708aa5d72ad3284eb7b |
| SHA1 | 358c8e4a38901bd9e6d42f748b667957766b7c99 |
| SHA256 | 7548821ba5c9c7004fb8a8c700667a09804957630e00d3af1eb802357fc6e83f |
| SHA512 | ce4343beb92a1d3413a671903c159f49354b3e2aca12835fcbc7c68ac7eadd1a678a69d9894e4e563ae51d10b4ac2be1d932971c4b761d7df96d6082b12a69ec |
\??\c:\Users\Admin\AppData\Local\Temp\ywmv_yex.0.cs
| MD5 | 1640a04633fee0dfdc7e22c4f4063bf6 |
| SHA1 | 3cb525c47b5dd37f8ee45b034c9452265fba5476 |
| SHA256 | 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0 |
| SHA512 | 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d |
memory/1372-61-0x00000000020A0000-0x00000000020A2000-memory.dmp
memory/576-62-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC510.tmp
| MD5 | b624b41c38aa93de574d413b6f652efc |
| SHA1 | 007a0c0df6183909fbe02ad63291d4ee171d9b1d |
| SHA256 | 8ed3350ffa75c060005da129574e600dfab9a55dcca5ddb36f622a32817e811c |
| SHA512 | 1abe4d804ede9fecada3971bc01bd977c3b4b3bfa3a1b45ecd13e7318942aa8c5bdbce738980fe9d2882d6852cc2260c77bd5c6de317b5c8b3071b5285dce399 |
C:\Users\Admin\AppData\Local\Temp\RES530.tmp
| MD5 | 7ed52c78db24b22d54634fca7048ddd2 |
| SHA1 | 33cf078827b37ea77119869455b6b44110e59faf |
| SHA256 | a21cbe5eadd992c386853cd688cb734204c1a26784cde81dff2be010f25d4057 |
| SHA512 | 2da2e58cfe083162ab139737f89704624f76bf6d5f8a5f6cd907a17b74a37712896b141ac3aa7849de2cb92be13a96eca698eed2d850b01368003d04b5a5c2a4 |
C:\Users\Admin\AppData\Local\Temp\ywmv_yex.dll
| MD5 | 3b65fe8518ee80a217b6a97971c38073 |
| SHA1 | 1c1e9ed201699c827d7db91b8444b8229ffc6c77 |
| SHA256 | 828eb265e25499403e8c38bff1bb62b5f8ca4d84ebf53a88dbd14459b6ec97e1 |
| SHA512 | 9a58941714093c350c3eb72738dfe83711a3838cab9cb3002d990ad73f43539606ee3ec298e45f09b7e0e1d67ce7e08314b84fa172a8e12d6e30ea194fe9b86a |
C:\Users\Admin\AppData\Local\Temp\ywmv_yex.pdb
| MD5 | 06c78f76197d29b14c0ba54ac7fd7cd4 |
| SHA1 | bbd48be919f7da7035567e5fa16aed78de63aaac |
| SHA256 | 9c183bd8e5beff5f148c81e735d0e859205dc54a65428ee3c74af143c391505f |
| SHA512 | 98933003e9ae03f94e535d418a4b7d1f835fb8629f1f8a9b5697a44a16e7394c1ca556e00a0b49162f84fa3e1601170c09949785af0d01ac5ff0fa189a45fba8 |
memory/1456-67-0x0000000000000000-mapping.dmp
memory/1444-68-0x000007FEFC281000-0x000007FEFC283000-memory.dmp
memory/648-69-0x0000000000000000-mapping.dmp
memory/756-71-0x0000000000000000-mapping.dmp
memory/1636-72-0x0000000000000000-mapping.dmp
memory/912-73-0x0000000000000000-mapping.dmp
memory/2024-74-0x0000000000000000-mapping.dmp
memory/1364-76-0x0000000000000000-mapping.dmp
memory/924-78-0x0000000000000000-mapping.dmp
memory/1932-80-0x0000000000000000-mapping.dmp
memory/1740-82-0x0000000000000000-mapping.dmp
memory/1520-84-0x0000000000000000-mapping.dmp
memory/1608-85-0x0000000000000000-mapping.dmp
memory/1616-86-0x0000000000000000-mapping.dmp
memory/1724-87-0x00000000021DD000-0x00000000021DF000-memory.dmp
memory/1724-88-0x000000001B220000-0x000000001B239000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
memory/1556-89-0x0000000000000000-mapping.dmp
memory/1556-91-0x0000000075B11000-0x0000000075B13000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/1692-94-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/1692-98-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi
| MD5 | 73e578a44265558d3ace212869d43cbb |
| SHA1 | d2c15578def8996ed0ae4a44754055b774b095a7 |
| SHA256 | 8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4 |
| SHA512 | fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4 |
memory/1504-100-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e91f39181acab3d76d4263180872ded |
| SHA1 | f40ad03c27e686ba13a4894009dd1fed46256fd0 |
| SHA256 | 215ac6443b23506515d4e92e3046a9ca16b1deb270b691c59ad5ce437688c687 |
| SHA512 | b6953f4221158f6280a791e683d04e70c77d59f5cc941636fb5924f6ade7ed7afacb66e785e80fe11e762743ae6889e75c165d91bc49b00b65430f9063a6c56e |
memory/1188-104-0x0000000000000000-mapping.dmp
\Windows\Installer\MSIFA8F.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
memory/884-106-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/1448-110-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/884-113-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1448-114-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1748-115-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/1068-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\killself.bat
| MD5 | c2ac85b000427a4a00f19da237aaaf86 |
| SHA1 | 459ecb5e64576348e6c654724e87825772c06ea8 |
| SHA256 | b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352 |
| SHA512 | e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b |
memory/1748-122-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1892-123-0x00000000002F0000-0x00000000002F1000-memory.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg
| MD5 | bc25377ade68750b834c81fa71c233b8 |
| SHA1 | 84dbb465dd2125f47668e2508e18af9bd6db2fd8 |
| SHA256 | 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3 |
| SHA512 | 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll
| MD5 | e38372f576d927f525ef8e1a34b54664 |
| SHA1 | 26af9d1db0a3f91d7fe13147e55f06c302d59389 |
| SHA256 | 4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b |
| SHA512 | 78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll
| MD5 | eeb2c52abbc7eb1c029b7fec45a7f22e |
| SHA1 | 8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61 |
| SHA256 | c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c |
| SHA512 | 0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll
| MD5 | 038bf9f3a58560ad1130eeb85cdc1a87 |
| SHA1 | 3571eb7293a2a3a5bf6eb21e1569cd151d995d1a |
| SHA256 | d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d |
| SHA512 | 8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385 |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll
| MD5 | 4570f7a40357016c97afe0dd4faf749b |
| SHA1 | ebc8a1660f1103c655559caab3a70ec23ca187f1 |
| SHA256 | a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8 |
| SHA512 | 6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll
| MD5 | 292a1748850d1fdc91d4ec23b02d6902 |
| SHA1 | 8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d |
| SHA256 | acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f |
| SHA512 | cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704 |
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll
| MD5 | 3d0b27b3f8aa22575aa0faf0b2d67216 |
| SHA1 | 39fc787538849692ed7352418616f467b7a86a1d |
| SHA256 | d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44 |
| SHA512 | 19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8 |
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll
| MD5 | 2ddfa39f5c2fd3f00681ef2970617e4b |
| SHA1 | 8152aa18afbacf398b92168995ec8696d3fe3659 |
| SHA256 | f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791 |
| SHA512 | f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20 |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
memory/460-137-0x0000000000000000-mapping.dmp
memory/1608-136-0x0000000000000000-mapping.dmp
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
memory/460-142-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1608-143-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
memory/1756-144-0x0000000000000000-mapping.dmp
memory/1756-147-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-28 17:00
Reported
2021-12-28 17:02
Platform
win10-en-20211208
Max time kernel
148s
Max time network
152s
Command Line
Signatures
RMS
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Sets file execution options in registry
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
Modifies powershell logging option
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\English.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIA758.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76a44a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76a44d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| File created | C:\Windows\Installer\f76a44a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA891.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\fca2ee24-3777-4893-aa3c-94407208a71a_$77_loader.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xezfubu9.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA421.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA420.tmp"
C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0DC57DC3A448B11A2ED1F4A870EC732F
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp | |
| US | 8.8.8.8:53 | msupdate.info | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| DE | 23.51.123.27:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | msupdate.info | udp |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:5650 | tcp | |
| RU | 77.247.243.43:5655 | tcp | |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| RU | 77.247.243.43:5655 | tcp |
Files
memory/2464-115-0x0000000002890000-0x0000000002892000-memory.dmp
memory/2464-116-0x00007FFFCF630000-0x00007FFFD018D000-memory.dmp
memory/1020-117-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xezfubu9.cmdline
| MD5 | 5488b9c51549ebdcaf2f276c4e0a421d |
| SHA1 | 20b148d32d30db3e3c376d39d0aa7463c8feff7c |
| SHA256 | 5d3edc4a5e877ce0a8f3f994850bfd062984c589ba06ef0fd56c03df3015e7e1 |
| SHA512 | d2089753a23f025362e00e59d6eb451a120fb815cbd29dc0c0029517a8309646f8188ba03e97ba453c3f1404d7ffa35158777538cc6ab165bbed9bbffe988f2a |
\??\c:\Users\Admin\AppData\Local\Temp\xezfubu9.0.cs
| MD5 | 1640a04633fee0dfdc7e22c4f4063bf6 |
| SHA1 | 3cb525c47b5dd37f8ee45b034c9452265fba5476 |
| SHA256 | 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0 |
| SHA512 | 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d |
memory/1020-120-0x00000000020A0000-0x00000000020A2000-memory.dmp
memory/1348-121-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCA420.tmp
| MD5 | 1b64896485a4383aa3575f348ee8dbc8 |
| SHA1 | b4b83ce635d970548f3d16cb1cdee322b34ea137 |
| SHA256 | 768a9291a2bb4ab29643c80af4f50e410003463072ac77222551e24b0c41d603 |
| SHA512 | 5a985837161dc8a68d60babcaf419e7d16e4a1464317bb44cc780c8179ab7d08710752785f342619eb6a8a85015f127dd0eec6cdc3174da4075c09c69f1e2548 |
C:\Users\Admin\AppData\Local\Temp\RESA421.tmp
| MD5 | aee4d6888463030a9878d42b30ba509a |
| SHA1 | c4858d0b4b2d94bac83317e7f15540bb690d4285 |
| SHA256 | ca9586e868d2902714bb3af39d418eb6e6f61989a463bf1dd3d7a95056a7f249 |
| SHA512 | 52564e43159e26d3f96fb7122a667bbc9fcbe585c0d6ee41b5e7977ab2ddefad29be678cacac575091d1daaac986ed90b98ae6718a8544a20b6a02a1ef41a090 |
C:\Users\Admin\AppData\Local\Temp\xezfubu9.dll
| MD5 | 051bf2fcd883c1c0dcdcf465b0572bad |
| SHA1 | c667430ab30b60a6419093fc09c78b5e7085562a |
| SHA256 | 06a0fca183d400e806aecd175c26edad25db8455454eb4bea47684b914543d54 |
| SHA512 | 4af56a68621afa2f68a07f60193381c8ade394f3a36c4a53aebf704846bde293cfa15fb55ffacda4f4eefbdd099796a7071d4789a0623c4223d378c634a39b70 |
C:\Users\Admin\AppData\Local\Temp\xezfubu9.pdb
| MD5 | 3b482ad22ef05fc166f43e8eb235fa5a |
| SHA1 | 8b9e64dc6b405bd8c27ab26962b3a22d5d26188c |
| SHA256 | c0a287a6c234741499f15b534b41cf67ff077822922d6b65187178732b57cf1b |
| SHA512 | d465e4f12703f187bab9b929b48cddfc7ba5345c59e395e28125ec8b78a139a735daebd027955f83c3e25b25c6d367350b564b929b08273a3e779f9bdadba895 |
memory/1400-126-0x0000000000000000-mapping.dmp
memory/2624-127-0x00000239CB8B0000-0x00000239CB8B2000-memory.dmp
memory/2624-128-0x00000239CB8B0000-0x00000239CB8B2000-memory.dmp
memory/828-129-0x0000000000000000-mapping.dmp
memory/2840-130-0x0000000000000000-mapping.dmp
memory/3340-131-0x0000000000000000-mapping.dmp
memory/1396-132-0x0000000000000000-mapping.dmp
memory/1484-133-0x0000000000000000-mapping.dmp
memory/4020-134-0x0000000000000000-mapping.dmp
memory/2124-135-0x0000000000000000-mapping.dmp
memory/2580-136-0x0000000000000000-mapping.dmp
memory/3292-137-0x0000000000000000-mapping.dmp
memory/2464-138-0x0000000002896000-0x0000000002898000-memory.dmp
memory/1348-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
C:\Users\Admin\AppData\Local\Temp\tmp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/1400-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/2252-145-0x0000000000000000-mapping.dmp
memory/2252-147-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2252-146-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1400-148-0x0000000000B40000-0x0000000000BEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi
| MD5 | 73e578a44265558d3ace212869d43cbb |
| SHA1 | d2c15578def8996ed0ae4a44754055b774b095a7 |
| SHA256 | 8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4 |
| SHA512 | fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4 |
memory/1588-151-0x000001DC65E20000-0x000001DC65E22000-memory.dmp
memory/1588-150-0x000001DC65E20000-0x000001DC65E22000-memory.dmp
memory/3208-152-0x0000000000000000-mapping.dmp
memory/3208-153-0x0000000000680000-0x0000000000681000-memory.dmp
memory/3208-154-0x0000000000680000-0x0000000000681000-memory.dmp
C:\Windows\Installer\MSIA758.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
\Windows\Installer\MSIA758.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
memory/3300-157-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/2976-160-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/2056-162-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/2020-165-0x0000000000000000-mapping.dmp
memory/2976-177-0x0000000000AB0000-0x0000000000BFA000-memory.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll
| MD5 | e38372f576d927f525ef8e1a34b54664 |
| SHA1 | 26af9d1db0a3f91d7fe13147e55f06c302d59389 |
| SHA256 | 4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b |
| SHA512 | 78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll
| MD5 | eeb2c52abbc7eb1c029b7fec45a7f22e |
| SHA1 | 8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61 |
| SHA256 | c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c |
| SHA512 | 0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll
| MD5 | 038bf9f3a58560ad1130eeb85cdc1a87 |
| SHA1 | 3571eb7293a2a3a5bf6eb21e1569cd151d995d1a |
| SHA256 | d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d |
| SHA512 | 8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385 |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll
| MD5 | 4570f7a40357016c97afe0dd4faf749b |
| SHA1 | ebc8a1660f1103c655559caab3a70ec23ca187f1 |
| SHA256 | a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8 |
| SHA512 | 6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll
| MD5 | 292a1748850d1fdc91d4ec23b02d6902 |
| SHA1 | 8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d |
| SHA256 | acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f |
| SHA512 | cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704 |
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll
| MD5 | 3d0b27b3f8aa22575aa0faf0b2d67216 |
| SHA1 | 39fc787538849692ed7352418616f467b7a86a1d |
| SHA256 | d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44 |
| SHA512 | 19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8 |
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll
| MD5 | 2ddfa39f5c2fd3f00681ef2970617e4b |
| SHA1 | 8152aa18afbacf398b92168995ec8696d3fe3659 |
| SHA256 | f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791 |
| SHA512 | f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20 |
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg
| MD5 | bc25377ade68750b834c81fa71c233b8 |
| SHA1 | 84dbb465dd2125f47668e2508e18af9bd6db2fd8 |
| SHA256 | 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3 |
| SHA512 | 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5 |
memory/3300-166-0x0000000000B10000-0x0000000000BBE000-memory.dmp
memory/2056-178-0x00000000028D0000-0x00000000028D1000-memory.dmp
memory/1432-179-0x00000000001D0000-0x00000000001F3000-memory.dmp
memory/2256-181-0x0000000000000000-mapping.dmp
memory/2300-180-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Users\Admin\AppData\Local\Temp\killself.bat
| MD5 | c2ac85b000427a4a00f19da237aaaf86 |
| SHA1 | 459ecb5e64576348e6c654724e87825772c06ea8 |
| SHA256 | b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352 |
| SHA512 | e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b |
memory/2256-186-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/2300-185-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/2516-187-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
memory/2516-189-0x0000000000B90000-0x0000000000B91000-memory.dmp