Analysis Overview
SHA256
ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc
Threat Level: Known bad
The file ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Stops running service(s)
Loads dropped DLL
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Runs ping.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: SetClipboardViewer
Enumerates processes with tasklist
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 14:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 14:20
Reported
2022-01-28 14:40
Platform
win7-en-20211208
Max time kernel
151s
Max time network
185s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\set.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setting.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
Stops running service(s)
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\gdiplus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\msvcr90.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\rasadhlp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\oledlg.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\ripcserver.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\rwln.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\msvcp90.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\RWLN.dll | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RWLN.dll | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\msimg32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI8085.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f767e48.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f767e44.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f767e44.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f767e46.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI893D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f767e46.ipi | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList | C:\Windows\system32\msiexec.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe
"C:\Users\Admin\AppData\Local\Temp\ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\123.cmd" "
C:\Users\Admin\AppData\Local\Temp\set.exe
set.exe -p1234567890__
C:\Users\Admin\AppData\Local\Temp\setting.exe
"C:\Users\Admin\AppData\Local\Temp\setting.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\attrib.exe
attrib -S -H -r "C:\Windows\system32\sysfiles"
C:\Windows\SysWOW64\attrib.exe
attrib -S -H -r "C:\Windows\syswow64\sysfiles"
C:\Windows\SysWOW64\attrib.exe
attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"
C:\Windows\SysWOW64\attrib.exe
attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"
C:\Windows\SysWOW64\net.exe
net stop rmanservice
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rmanservice
C:\Windows\SysWOW64\sc.exe
sc delete "rmanservice"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rfusclient.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rfusclient.exe *32"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe *32
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rutserv.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rutserv.exe *32"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe *32
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\System\CurrentControlSet\Services\RManService" /f
C:\Windows\SysWOW64\PING.EXE
ping -n 1 -w 500 google.com.ua
C:\Windows\SysWOW64\msiexec.exe
MsiExec /I "rms5.2.1.msi" /qn
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B603BA5451C785DBBB24A591E95F3857
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall
C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall
C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start
C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com.ua | udp |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/944-54-0x0000000075D61000-0x0000000075D63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\123.cmd
| MD5 | dada62ed88a4fb1239573b99fece59b2 |
| SHA1 | 39880571a27c2688559a81fdb4121339a83b3762 |
| SHA256 | 43a93ceb9df8b17b5980b8e9c499ae1fccf248a06ee817f1987835f5d91f5fb8 |
| SHA512 | fc51a3a00603620ca06430d21d188eb2608ab83fb26bf69822839fdb8eecf36e65dc8a4b0f57a811e9cfa0460a22ebed2a3362e0b65afd585fc299f1629a303f |
\Users\Admin\AppData\Local\Temp\set.exe
| MD5 | f624911632ad4cd93be43acff8156739 |
| SHA1 | 26a237d180aee2cacac89ee0c14ba5cb6a95635a |
| SHA256 | 5c020a7147cdc2d0989d72e610ea5ec8f412d3fe6d5de681c05c1e66d5aca08a |
| SHA512 | 728324b42fbdb758045f9cea7a815bd73951603083ff74d95d810cc080483f77a90718ae4c81af8e938791b0f39fa85d3a49a28fd90b353bb29ec59996f97bd8 |
C:\Users\Admin\AppData\Local\Temp\set.exe
| MD5 | f624911632ad4cd93be43acff8156739 |
| SHA1 | 26a237d180aee2cacac89ee0c14ba5cb6a95635a |
| SHA256 | 5c020a7147cdc2d0989d72e610ea5ec8f412d3fe6d5de681c05c1e66d5aca08a |
| SHA512 | 728324b42fbdb758045f9cea7a815bd73951603083ff74d95d810cc080483f77a90718ae4c81af8e938791b0f39fa85d3a49a28fd90b353bb29ec59996f97bd8 |
C:\Users\Admin\AppData\Local\Temp\set.exe
| MD5 | f624911632ad4cd93be43acff8156739 |
| SHA1 | 26a237d180aee2cacac89ee0c14ba5cb6a95635a |
| SHA256 | 5c020a7147cdc2d0989d72e610ea5ec8f412d3fe6d5de681c05c1e66d5aca08a |
| SHA512 | 728324b42fbdb758045f9cea7a815bd73951603083ff74d95d810cc080483f77a90718ae4c81af8e938791b0f39fa85d3a49a28fd90b353bb29ec59996f97bd8 |
\Users\Admin\AppData\Local\Temp\setting.exe
| MD5 | d397b982d75bc4f96cc69a5d2d1f665f |
| SHA1 | 18e4c090d92377e223163a7351c9c45b10bd1b57 |
| SHA256 | 237821f5e9f0d623b0071b4b4a86aa000d664b028ab922801cf39c16ebf64908 |
| SHA512 | df8ccdab8c2927f181e694bbd9b3f1de5a7cb07b26e15863e44151237385c561e7376b2a03f77e99ed9ed7a0324cfc88ae04bb53efb3230415b64e576b13b2a0 |
C:\Users\Admin\AppData\Local\Temp\setting.exe
| MD5 | d397b982d75bc4f96cc69a5d2d1f665f |
| SHA1 | 18e4c090d92377e223163a7351c9c45b10bd1b57 |
| SHA256 | 237821f5e9f0d623b0071b4b4a86aa000d664b028ab922801cf39c16ebf64908 |
| SHA512 | df8ccdab8c2927f181e694bbd9b3f1de5a7cb07b26e15863e44151237385c561e7376b2a03f77e99ed9ed7a0324cfc88ae04bb53efb3230415b64e576b13b2a0 |
C:\Users\Admin\AppData\Local\Temp\setting.exe
| MD5 | d397b982d75bc4f96cc69a5d2d1f665f |
| SHA1 | 18e4c090d92377e223163a7351c9c45b10bd1b57 |
| SHA256 | 237821f5e9f0d623b0071b4b4a86aa000d664b028ab922801cf39c16ebf64908 |
| SHA512 | df8ccdab8c2927f181e694bbd9b3f1de5a7cb07b26e15863e44151237385c561e7376b2a03f77e99ed9ed7a0324cfc88ae04bb53efb3230415b64e576b13b2a0 |
C:\Users\Admin\AppData\Local\Temp\install.cmd
| MD5 | 499028434065d60b17cadab9c68c9625 |
| SHA1 | 82e73ef575ca5abffa9fbbe78047df7d10118ab5 |
| SHA256 | cd05ca97cee790d26821ff676136a2164872886e61124a8172cfb36b28fcf0ed |
| SHA512 | 2beeabeb93328f64c5864fbeaa78848528c4a0709d3e3235de81ffcb89b46011cfb9cc281fb494e62a36925d04e14017988ba735309017b4f75866181f811869 |
memory/528-87-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\rms5.2.1.msi
| MD5 | 9eebcee6f54b469a75d1360daf24fbb8 |
| SHA1 | 94980e8be1dfb084cb1ed7dd75afe7f5f9aedf0b |
| SHA256 | 07914aaa28f784dced0c8a76f9491d1e61ce17e8e206fa6c94378e8ad9d09511 |
| SHA512 | a5d52cd24f52d0fed96af09b6c1aceafef08756ac1a1c2a4d2841c562b42b56866b4a959ec7f23247fc6ef2672e5211c9281138a1e756ba7e5cc11b07a42027c |
C:\Windows\Installer\MSI8085.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
\Windows\Installer\MSI8085.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
C:\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
C:\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
memory/1964-126-0x0000000000240000-0x0000000000241000-memory.dmp
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
memory/1492-137-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Windows\SysWOW64\sysfiles\RWLN.dll
| MD5 | bb1f3e716d12734d1d2d9219a3979a62 |
| SHA1 | 0ef66eed2f2ae45ec2d478902833b830334109cb |
| SHA256 | d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077 |
| SHA512 | bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
memory/2008-143-0x0000000000240000-0x0000000000241000-memory.dmp
\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
memory/1904-155-0x0000000000240000-0x0000000000241000-memory.dmp
\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
| MD5 | af74ff71f11cec559a5aaee9a41c9710 |
| SHA1 | 0df60a0511d2ae122a8e5b736efda1bdf0bee41d |
| SHA256 | 66a1f91373099569c354e909757faac87a5d6f00bc7fdd3d9a85e4324bae9a80 |
| SHA512 | e8f8b566c9116c42d57dbe6edf20b76b96976f7e5f7c9ba766a6d3e7aa4b49404bb66456e56d25c6623d5a2a963cec19e0dc4a7caa6ed3fe22074b747dffd5e9 |
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
memory/896-165-0x0000000000230000-0x0000000000231000-memory.dmp
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll
| MD5 | 8e3f59b8c9dfc933fca30edefeb76186 |
| SHA1 | 37a78089d5936d1bc3b60915971604c611a94dbd |
| SHA256 | 528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8 |
| SHA512 | 3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d |
C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll
| MD5 | ff622a8812d8b1eff8f8d1a32087f9d2 |
| SHA1 | 910615c9374b8734794ac885707ff5370db42ef1 |
| SHA256 | 1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf |
| SHA512 | 1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931 |
C:\Windows\SysWOW64\sysfiles\gdiplus.dll
| MD5 | 871c903a90c45ca08a9d42803916c3f7 |
| SHA1 | d962a12bc15bfb4c505bb63f603ca211588958db |
| SHA256 | f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645 |
| SHA512 | 985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145 |
C:\Windows\SysWOW64\sysfiles\msvcp90.dll
| MD5 | b2eee3dee31f50e082e9c720a6d7757d |
| SHA1 | 3322840fef43c92fb55dc31e682d19970daf159d |
| SHA256 | 4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01 |
| SHA512 | 8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3 |
C:\Windows\SysWOW64\sysfiles\vp8decoder.dll
| MD5 | 6f6bfe02e84a595a56b456f72debd4ee |
| SHA1 | 90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2 |
| SHA256 | 5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51 |
| SHA512 | ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50 |
C:\Windows\SysWOW64\sysfiles\vp8encoder.dll
| MD5 | c638bca1a67911af7f9ed67e7b501154 |
| SHA1 | 0fd74d2f1bd78f678b897a776d8bce36742c39b7 |
| SHA256 | 519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8 |
| SHA512 | ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f |
C:\Windows\SysWOW64\sysfiles\ripcserver.dll
| MD5 | 30e269f850baf6ca25187815912e21c5 |
| SHA1 | eb160de97d12b4e96f350dd0d0126d41d658afb3 |
| SHA256 | 379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90 |
| SHA512 | 9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7 |
C:\Windows\SysWOW64\sysfiles\rasadhlp.dll
| MD5 | 8679b09cc9600a1f11a3c09cec12637b |
| SHA1 | cad5c92e561b64d1f4e1f70c7596dcf186304ecb |
| SHA256 | 7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f |
| SHA512 | 93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6 |
C:\Windows\SysWOW64\sysfiles\msvcr90.dll
| MD5 | 7538050656fe5d63cb4b80349dd1cfe3 |
| SHA1 | f825c40fee87cc9952a61c8c34e9f6eee8da742d |
| SHA256 | e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099 |
| SHA512 | 843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8 |
memory/1540-178-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
memory/1944-186-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1912-185-0x0000000000240000-0x0000000000241000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 14:20
Reported
2022-01-28 14:40
Platform
win10-en-20211208
Max time kernel
166s
Max time network
175s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\set.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setting.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
Stops running service(s)
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\msimg32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\msvcp90.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\rwln.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\RWLN.dll | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RWLN.dll | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\oledlg.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\gdiplus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\rasadhlp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\ripcserver.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\sysfiles\msvcr90.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI6D4D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76637c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f766379.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI69E1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f766379.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{AB7AA605-500F-4153-8207-FB5563419112} | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rutserv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sysfiles\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe
"C:\Users\Admin\AppData\Local\Temp\ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.cmd" "
C:\Users\Admin\AppData\Local\Temp\set.exe
set.exe -p1234567890__
C:\Users\Admin\AppData\Local\Temp\setting.exe
"C:\Users\Admin\AppData\Local\Temp\setting.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\attrib.exe
attrib -S -H -r "C:\Windows\system32\sysfiles"
C:\Windows\SysWOW64\attrib.exe
attrib -S -H -r "C:\Windows\syswow64\sysfiles"
C:\Windows\SysWOW64\attrib.exe
attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"
C:\Windows\SysWOW64\attrib.exe
attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"
C:\Windows\SysWOW64\net.exe
net stop rmanservice
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rmanservice
C:\Windows\SysWOW64\sc.exe
sc delete "rmanservice"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rfusclient.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rfusclient.exe *32"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe *32
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rutserv.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rutserv.exe *32"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe *32
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\System\CurrentControlSet\Services\RManService" /f
C:\Windows\SysWOW64\PING.EXE
ping -n 1 -w 500 google.com.ua
C:\Windows\SysWOW64\msiexec.exe
MsiExec /I "rms5.2.1.msi" /qn
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 310A726E74D5FDA53CA1D428FB4C2022
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall
C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall
C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\SysWOW64\sysfiles\rutserv.exe
"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start
C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com.ua | udp |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\123.cmd
| MD5 | dada62ed88a4fb1239573b99fece59b2 |
| SHA1 | 39880571a27c2688559a81fdb4121339a83b3762 |
| SHA256 | 43a93ceb9df8b17b5980b8e9c499ae1fccf248a06ee817f1987835f5d91f5fb8 |
| SHA512 | fc51a3a00603620ca06430d21d188eb2608ab83fb26bf69822839fdb8eecf36e65dc8a4b0f57a811e9cfa0460a22ebed2a3362e0b65afd585fc299f1629a303f |
C:\Users\Admin\AppData\Local\Temp\set.exe
| MD5 | f624911632ad4cd93be43acff8156739 |
| SHA1 | 26a237d180aee2cacac89ee0c14ba5cb6a95635a |
| SHA256 | 5c020a7147cdc2d0989d72e610ea5ec8f412d3fe6d5de681c05c1e66d5aca08a |
| SHA512 | 728324b42fbdb758045f9cea7a815bd73951603083ff74d95d810cc080483f77a90718ae4c81af8e938791b0f39fa85d3a49a28fd90b353bb29ec59996f97bd8 |
C:\Users\Admin\AppData\Local\Temp\set.exe
| MD5 | f624911632ad4cd93be43acff8156739 |
| SHA1 | 26a237d180aee2cacac89ee0c14ba5cb6a95635a |
| SHA256 | 5c020a7147cdc2d0989d72e610ea5ec8f412d3fe6d5de681c05c1e66d5aca08a |
| SHA512 | 728324b42fbdb758045f9cea7a815bd73951603083ff74d95d810cc080483f77a90718ae4c81af8e938791b0f39fa85d3a49a28fd90b353bb29ec59996f97bd8 |
C:\Users\Admin\AppData\Local\Temp\setting.exe
| MD5 | d397b982d75bc4f96cc69a5d2d1f665f |
| SHA1 | 18e4c090d92377e223163a7351c9c45b10bd1b57 |
| SHA256 | 237821f5e9f0d623b0071b4b4a86aa000d664b028ab922801cf39c16ebf64908 |
| SHA512 | df8ccdab8c2927f181e694bbd9b3f1de5a7cb07b26e15863e44151237385c561e7376b2a03f77e99ed9ed7a0324cfc88ae04bb53efb3230415b64e576b13b2a0 |
C:\Users\Admin\AppData\Local\Temp\setting.exe
| MD5 | d397b982d75bc4f96cc69a5d2d1f665f |
| SHA1 | 18e4c090d92377e223163a7351c9c45b10bd1b57 |
| SHA256 | 237821f5e9f0d623b0071b4b4a86aa000d664b028ab922801cf39c16ebf64908 |
| SHA512 | df8ccdab8c2927f181e694bbd9b3f1de5a7cb07b26e15863e44151237385c561e7376b2a03f77e99ed9ed7a0324cfc88ae04bb53efb3230415b64e576b13b2a0 |
C:\Users\Admin\AppData\Local\Temp\install.cmd
| MD5 | 499028434065d60b17cadab9c68c9625 |
| SHA1 | 82e73ef575ca5abffa9fbbe78047df7d10118ab5 |
| SHA256 | cd05ca97cee790d26821ff676136a2164872886e61124a8172cfb36b28fcf0ed |
| SHA512 | 2beeabeb93328f64c5864fbeaa78848528c4a0709d3e3235de81ffcb89b46011cfb9cc281fb494e62a36925d04e14017988ba735309017b4f75866181f811869 |
C:\Users\Admin\AppData\Local\Temp\rms5.2.1.msi
| MD5 | 9eebcee6f54b469a75d1360daf24fbb8 |
| SHA1 | 94980e8be1dfb084cb1ed7dd75afe7f5f9aedf0b |
| SHA256 | 07914aaa28f784dced0c8a76f9491d1e61ce17e8e206fa6c94378e8ad9d09511 |
| SHA512 | a5d52cd24f52d0fed96af09b6c1aceafef08756ac1a1c2a4d2841c562b42b56866b4a959ec7f23247fc6ef2672e5211c9281138a1e756ba7e5cc11b07a42027c |
C:\Windows\Installer\MSI69E1.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
\Windows\Installer\MSI69E1.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
C:\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
C:\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
memory/3124-257-0x0000000002710000-0x0000000002711000-memory.dmp
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
C:\Windows\SysWOW64\sysfiles\RWLN.dll
| MD5 | bb1f3e716d12734d1d2d9219a3979a62 |
| SHA1 | 0ef66eed2f2ae45ec2d478902833b830334109cb |
| SHA256 | d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077 |
| SHA512 | bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
memory/3676-265-0x0000000000900000-0x0000000000A4A000-memory.dmp
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
memory/2340-272-0x0000000002890000-0x0000000002AA0000-memory.dmp
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
| MD5 | af74ff71f11cec559a5aaee9a41c9710 |
| SHA1 | 0df60a0511d2ae122a8e5b736efda1bdf0bee41d |
| SHA256 | 66a1f91373099569c354e909757faac87a5d6f00bc7fdd3d9a85e4324bae9a80 |
| SHA512 | e8f8b566c9116c42d57dbe6edf20b76b96976f7e5f7c9ba766a6d3e7aa4b49404bb66456e56d25c6623d5a2a963cec19e0dc4a7caa6ed3fe22074b747dffd5e9 |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
C:\Windows\SysWOW64\sysfiles\rutserv.exe
| MD5 | 5cd22562ef246c66c255676937d33f0d |
| SHA1 | 1d44452f59a8cf755e7931c55f2f84d147400b8e |
| SHA256 | a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246 |
| SHA512 | 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
memory/492-278-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
memory/1824-279-0x00000000001D0000-0x00000000001F3000-memory.dmp
C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll
| MD5 | 8e3f59b8c9dfc933fca30edefeb76186 |
| SHA1 | 37a78089d5936d1bc3b60915971604c611a94dbd |
| SHA256 | 528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8 |
| SHA512 | 3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d |
C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll
| MD5 | ff622a8812d8b1eff8f8d1a32087f9d2 |
| SHA1 | 910615c9374b8734794ac885707ff5370db42ef1 |
| SHA256 | 1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf |
| SHA512 | 1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931 |
C:\Windows\SysWOW64\sysfiles\gdiplus.dll
| MD5 | 871c903a90c45ca08a9d42803916c3f7 |
| SHA1 | d962a12bc15bfb4c505bb63f603ca211588958db |
| SHA256 | f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645 |
| SHA512 | 985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145 |
C:\Windows\SysWOW64\sysfiles\msvcp90.dll
| MD5 | b2eee3dee31f50e082e9c720a6d7757d |
| SHA1 | 3322840fef43c92fb55dc31e682d19970daf159d |
| SHA256 | 4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01 |
| SHA512 | 8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3 |
C:\Windows\SysWOW64\sysfiles\vp8encoder.dll
| MD5 | c638bca1a67911af7f9ed67e7b501154 |
| SHA1 | 0fd74d2f1bd78f678b897a776d8bce36742c39b7 |
| SHA256 | 519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8 |
| SHA512 | ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f |
C:\Windows\SysWOW64\sysfiles\vp8decoder.dll
| MD5 | 6f6bfe02e84a595a56b456f72debd4ee |
| SHA1 | 90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2 |
| SHA256 | 5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51 |
| SHA512 | ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50 |
C:\Windows\SysWOW64\sysfiles\ripcserver.dll
| MD5 | 30e269f850baf6ca25187815912e21c5 |
| SHA1 | eb160de97d12b4e96f350dd0d0126d41d658afb3 |
| SHA256 | 379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90 |
| SHA512 | 9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7 |
C:\Windows\SysWOW64\sysfiles\rasadhlp.dll
| MD5 | 8679b09cc9600a1f11a3c09cec12637b |
| SHA1 | cad5c92e561b64d1f4e1f70c7596dcf186304ecb |
| SHA256 | 7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f |
| SHA512 | 93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6 |
C:\Windows\SysWOW64\sysfiles\msvcr90.dll
| MD5 | 7538050656fe5d63cb4b80349dd1cfe3 |
| SHA1 | f825c40fee87cc9952a61c8c34e9f6eee8da742d |
| SHA256 | e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099 |
| SHA512 | 843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
memory/3940-297-0x0000000000870000-0x000000000091E000-memory.dmp
memory/2744-298-0x00000000025D0000-0x00000000025D1000-memory.dmp
C:\Windows\SysWOW64\sysfiles\rfusclient.exe
| MD5 | fd73724d0268dafcefb8b4061e4045b0 |
| SHA1 | 8205f76d796577817d5f9c1ef735a229c69a215f |
| SHA256 | cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2 |
| SHA512 | 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e |
\Windows\SysWOW64\sysfiles\msimg32.dll
| MD5 | 51af730a69ae4d520bed1ef9b658e0f8 |
| SHA1 | d2fbeac55b43bc4503154c465a99e91f57f9cbd3 |
| SHA256 | 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe |
| SHA512 | 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685 |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |
\Windows\SysWOW64\sysfiles\oledlg.dll
| MD5 | d3f47f9ef1d3c358446c3680021e98ac |
| SHA1 | 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6 |
| SHA256 | 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede |
| SHA512 | eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f |