Malware Analysis Report

2024-11-15 08:39

Sample ID 220416-f6xckscadk
Target $77_loader.exe
SHA256 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
Tags
discovery evasion persistence rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

Threat Level: Known bad

The file $77_loader.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence rms rat trojan

RMS

Downloads MZ/PE file

Sets file execution options in registry

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Modifies powershell logging option

Enumerates connected drives

Modifies WinLogon

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: SetClipboardViewer

Suspicious behavior: EnumeratesProcesses

Gathers network information

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-16 05:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-16 05:29

Reported

2022-04-16 05:32

Platform

win7-20220414-en

Max time kernel

153s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A

Sets file execution options in registry

persistence

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe N/A

Checks installed software on the system

discovery

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A

Modifies powershell logging option

evasion

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\config.xml C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\config.xml C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1884 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1884 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1604 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1604 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1604 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1884 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\chcp.com
PID 1884 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\chcp.com
PID 1884 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\chcp.com
PID 1884 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1884 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1884 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1884 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1884 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1112 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1112 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1112 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1112 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1112 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1112 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1112 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 860 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 860 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 860 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 860 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 860 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 860 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 860 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$77_loader.exe

"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7pfhmfid.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE419.tmp"

C:\Windows\system32\chcp.com

"C:\Windows\system32\chcp.com" 437

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy reset

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Users\Admin\AppData\Local\Temp\RMS.exe

"C:\Users\Admin\AppData\Local\Temp\RMS.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn

Network

Country Destination Domain Proto
US 8.8.8.8:53 msupdate.info udp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 msupdate.info udp
LT 5.133.65.53:443 msupdate.info tcp
LT 5.133.65.53:80 msupdate.info tcp
N/A 127.0.0.1:999 tcp
N/A 127.0.0.1:999 tcp
N/A 127.0.0.1:999 tcp
N/A 127.0.0.1:5650 tcp
RU 77.247.243.43:5655 tcp
LT 5.133.65.53:443 msupdate.info tcp

Files

memory/1884-54-0x000007FEF39D0000-0x000007FEF4A66000-memory.dmp

memory/1884-55-0x000007FEEE760000-0x000007FEEF2BD000-memory.dmp

memory/1604-56-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\7pfhmfid.cmdline

MD5 64a68a4e66e77da60bb5f7eaaf57dc48
SHA1 4e9c01d758238621db4e48393ea6e27bb69e61ce
SHA256 03cd1f7dd37dca5b739c158b6b49ae163d1b7876b5efc5a85d8c0a67e0560a33
SHA512 f4203c58151d4a360d9078607f40ce180b1f7aab4bd56ec74f606cd283411d0a071d280aff18b98db44d467413b7d71e02aab9fbd35d5b3fca8905a783f608da

\??\c:\Users\Admin\AppData\Local\Temp\7pfhmfid.0.cs

MD5 1640a04633fee0dfdc7e22c4f4063bf6
SHA1 3cb525c47b5dd37f8ee45b034c9452265fba5476
SHA256 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA512 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

memory/1312-59-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCE419.tmp

MD5 bfff1fdd1891d6abe22a5190674c5f75
SHA1 b332bba58f14ffecb0c65dfab1bf3f2768b9f5b8
SHA256 31cc624c565faf405fe313eba91211316e01eed91cf9608230d19e214ff7339f
SHA512 2e3296eea0ea31b33cc2244f59c22893d5e4aae1e183e9468595948eac63d4990474e84b102d17f31cdd25de4bf6c7d79a456ec22c341e24551cd191888a13df

C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp

MD5 ecd44e1b05ff5cbe348452205cb6817c
SHA1 2dfd14c7d0bb084048b29be433cb5272e2600381
SHA256 4700e9591d1c219c9c439a0fb3b8146f4b7e9169bfcfd6775ebaab3dd6f54076
SHA512 f7487ef9e5c251fe66bc189664c3036ca02934e4493e68ce8f34e92d88c90d1b89be66cf0d484f606069ff35521ecd1d7da0d47abcedad7cc2336aa440b9a761

C:\Users\Admin\AppData\Local\Temp\7pfhmfid.dll

MD5 196e4191a5c2d9ed3c16732d8bd89653
SHA1 3283fb09f93b2c5d6aa4e5b88f46a492fbab6270
SHA256 12ac6124bada4d415df7594e7897612a7474917bd354f5076790dc4e72292936
SHA512 90af409c12b294deda59e9cb602fd62e97255788e504eba58be4de28045a83de55c116ce2c030db03022577659b69a7439858eb45ff7ac70bcdd27763be8bcff

C:\Users\Admin\AppData\Local\Temp\7pfhmfid.pdb

MD5 30856c96c1615aadf1f11875bda8acb7
SHA1 38335c38f1c7164c9c0b481125f6e43c4bd69035
SHA256 27b3acece18342543cc3cc33a70f49b9a0cb2eb5b4d8d6199086b2ac6bf63e85
SHA512 9091b445e9c62dddf0bbb88a37d9fdfbaabcc38d22cd87965145334560a5431036f35e0f1e0b71e6062fd3054fd736f8a8320cf0774753c96f2a97e4534e9e67

memory/1632-64-0x0000000000000000-mapping.dmp

memory/432-65-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

memory/948-66-0x0000000000000000-mapping.dmp

memory/2032-68-0x0000000000000000-mapping.dmp

memory/1224-69-0x0000000000000000-mapping.dmp

memory/1600-70-0x0000000000000000-mapping.dmp

memory/1608-71-0x0000000000000000-mapping.dmp

memory/1280-73-0x0000000000000000-mapping.dmp

memory/1328-75-0x0000000000000000-mapping.dmp

memory/600-77-0x0000000000000000-mapping.dmp

memory/1548-79-0x0000000000000000-mapping.dmp

memory/684-81-0x0000000000000000-mapping.dmp

memory/1860-82-0x0000000000000000-mapping.dmp

memory/1252-83-0x0000000000000000-mapping.dmp

memory/1884-84-0x000000001B580000-0x000000001B599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RMS.exe

MD5 73f351beae5c881fafe36f42cde9a47c
SHA1 dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256 a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512 f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

memory/1112-85-0x0000000000000000-mapping.dmp

memory/1112-87-0x0000000075191000-0x0000000075193000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RMS.exe

MD5 73f351beae5c881fafe36f42cde9a47c
SHA1 dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256 a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512 f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

memory/860-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

MD5 73e578a44265558d3ace212869d43cbb
SHA1 d2c15578def8996ed0ae4a44754055b774b095a7
SHA256 8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4
SHA512 fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

memory/1280-95-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-16 05:29

Reported

2022-04-16 05:32

Platform

win10v2004-20220414-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"

Signatures

RMS

trojan rat rms

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Sets file execution options in registry

persistence

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RMS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A

Modifies powershell logging option

evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\English.lg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\config.xml C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
File opened for modification C:\Windows\Installer\e57fd4c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI329.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57fd4f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SoftwareDistribution\config.xml C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
File created C:\Windows\Installer\e57fd4c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1792 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1200 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1200 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1792 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\chcp.com
PID 1792 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\chcp.com
PID 1792 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1792 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1792 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1792 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1792 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1792 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1792 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1792 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1792 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1792 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 2740 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 2740 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 2740 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 4608 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 4608 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 4608 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 3008 wrote to memory of 3676 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3008 wrote to memory of 3676 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3008 wrote to memory of 3676 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3008 wrote to memory of 1524 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 3008 wrote to memory of 1524 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 3008 wrote to memory of 1524 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 3008 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 3008 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 3008 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 3008 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 3008 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 3008 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 4608 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 1848 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
PID 1664 wrote to memory of 1848 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
PID 1664 wrote to memory of 1848 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
PID 1664 wrote to memory of 1684 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
PID 1664 wrote to memory of 1684 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
PID 1664 wrote to memory of 1684 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
PID 1684 wrote to memory of 2580 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
PID 1684 wrote to memory of 2580 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
PID 1684 wrote to memory of 2580 N/A C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$77_loader.exe

"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4lazxtzg.cmdline"

C:\Windows\system32\chcp.com

"C:\Windows\system32\chcp.com" 437

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7370.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7360.tmp"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy reset

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Users\Admin\AppData\Local\Temp\RMS.exe

"C:\Users\Admin\AppData\Local\Temp\RMS.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 44A6A13A3E5D163B43B76F0928A3E71F

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 52.109.8.21:443 tcp
US 8.8.8.8:53 msupdate.info udp
US 8.8.8.8:53 msupdate.info udp
LT 5.133.65.53:443 msupdate.info tcp
US 93.184.220.29:80 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
GB 51.104.15.253:443 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
US 8.247.211.126:80 tcp
US 93.184.220.29:80 tcp
RU 77.247.243.43:5655 tcp
N/A 127.0.0.1:999 tcp
N/A 127.0.0.1:999 tcp
LT 5.133.65.53:443 msupdate.info tcp
N/A 127.0.0.1:999 tcp
N/A 127.0.0.1:5650 tcp
RU 77.247.243.43:5655 tcp

Files

memory/1792-130-0x0000000001490000-0x0000000001492000-memory.dmp

memory/1792-131-0x000000001C750000-0x000000001D2AD000-memory.dmp

memory/1200-132-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4lazxtzg.0.cs

MD5 1640a04633fee0dfdc7e22c4f4063bf6
SHA1 3cb525c47b5dd37f8ee45b034c9452265fba5476
SHA256 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA512 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

\??\c:\Users\Admin\AppData\Local\Temp\4lazxtzg.cmdline

MD5 58a96dc3b43df4118b05715cab17d1da
SHA1 5fd288876b39c36c17ca1875da357b3e5dcdef46
SHA256 4928b97ed2896866cb70d75952cb68489543a950a72c30643a84f6b9de7ade44
SHA512 9198a4ffe2ea4a4cc9d62480e862cb854f74319a9f2cb5762ed63c1c386666e65d3970bf37cfcdc7ecef540dee7d6de90a1789bb65e46cd4bfb1b58505ce3171

memory/2636-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4lazxtzg.pdb

MD5 232f6dea4e21853053d08147ecfeb1d8
SHA1 fab40c8ae46cf24c6916c62137c6e0a675f07e73
SHA256 03dfd305070547d3f4119da2bcb72551e4338fbd3a5f209f3952d6c5dce534d3
SHA512 393ef5f460b6b56fefed5d550b5dba5f9d2100e6c797a1e6fcefa5496f8cd12cb41747914faa2d0e10b1a9b4da7a1812c311da5ba8e1134c1d93f5be88242c29

C:\Users\Admin\AppData\Local\Temp\4lazxtzg.dll

MD5 984e3a6b207f6bcaaf49b5b22d2def22
SHA1 6087a715e8cc6ca96fefd2ceeb29a8a591c8abce
SHA256 e461a3583c0d807dd69c27fac26ccced79d2d44b11456e2b1f8ae16e6c75502f
SHA512 3bda8f1a838839fb471e972f1aec029c38528e44aa167e8933e861949f83a0778e683588455ec1942b470fc3c0d4ec6b170cf00701d2da822d919bc44435262b

memory/3164-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RES7370.tmp

MD5 35e128a87586a6d6cad23065c91c2a64
SHA1 94959f764d4cfc08f67aeedc9dade8236ce4a018
SHA256 e568f83277c37ac5d68fbd89c94c82a639346fb8f9108886ac1b6736cc96231f
SHA512 cd64fc1560e64f60b7f5b3683c88ef252d4fceda94c0f5903f9f4b682955bef941dfd3f532887e56a7502fd85f55bd93ad871da2ba9a26386856b80c36e7faef

\??\c:\Users\Admin\AppData\Local\Temp\CSC7360.tmp

MD5 2d73ec4d3c864dcc0ca1ed52138172f7
SHA1 65c8db6818cdeab7be2f74ad4268acd62e9119fe
SHA256 2e44b40367ee4a70828fef00799d09ded6cdf5bedc27a434ec7960f25f9bb063
SHA512 cd0d031a19ca21c5d03e48d8617e8c5dc1a720c89e7da970ab058f9ea9d8f39fde89118013b207bcf67efec03b7369ec6c058acd36ffb4c4181d1446d7d34993

memory/4532-141-0x0000000000000000-mapping.dmp

memory/3848-142-0x0000000000000000-mapping.dmp

memory/4692-143-0x0000000000000000-mapping.dmp

memory/828-144-0x0000000000000000-mapping.dmp

memory/640-145-0x0000000000000000-mapping.dmp

memory/564-146-0x0000000000000000-mapping.dmp

memory/2620-147-0x0000000000000000-mapping.dmp

memory/2288-148-0x0000000000000000-mapping.dmp

memory/2788-149-0x0000000000000000-mapping.dmp

memory/2740-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RMS.exe

MD5 73f351beae5c881fafe36f42cde9a47c
SHA1 dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256 a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512 f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

C:\Users\Admin\AppData\Local\Temp\RMS.exe

MD5 73f351beae5c881fafe36f42cde9a47c
SHA1 dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256 a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512 f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66

memory/4608-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

memory/4504-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

MD5 73e578a44265558d3ace212869d43cbb
SHA1 d2c15578def8996ed0ae4a44754055b774b095a7
SHA256 8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4
SHA512 fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

memory/3676-158-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI88.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

C:\Windows\Installer\MSI88.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

memory/1524-161-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

memory/1128-164-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

memory/2832-166-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

MD5 bc25377ade68750b834c81fa71c233b8
SHA1 84dbb465dd2125f47668e2508e18af9bd6db2fd8
SHA256 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3
SHA512 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

MD5 038bf9f3a58560ad1130eeb85cdc1a87
SHA1 3571eb7293a2a3a5bf6eb21e1569cd151d995d1a
SHA256 d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d
SHA512 8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

MD5 4570f7a40357016c97afe0dd4faf749b
SHA1 ebc8a1660f1103c655559caab3a70ec23ca187f1
SHA256 a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8
SHA512 6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b

C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

MD5 eeb2c52abbc7eb1c029b7fec45a7f22e
SHA1 8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61
SHA256 c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c
SHA512 0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

MD5 76ebe5fd077a62161d0ab560208b9f94
SHA1 614c218d35ba531f0bad791d52e5dcf57df5c742
SHA256 f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b
SHA512 baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

MD5 e38372f576d927f525ef8e1a34b54664
SHA1 26af9d1db0a3f91d7fe13147e55f06c302d59389
SHA256 4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b
SHA512 78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

MD5 3d0b27b3f8aa22575aa0faf0b2d67216
SHA1 39fc787538849692ed7352418616f467b7a86a1d
SHA256 d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44
SHA512 19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

MD5 292a1748850d1fdc91d4ec23b02d6902
SHA1 8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d
SHA256 acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f
SHA512 cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

MD5 2ddfa39f5c2fd3f00681ef2970617e4b
SHA1 8152aa18afbacf398b92168995ec8696d3fe3659
SHA256 f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791
SHA512 f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

memory/3700-179-0x0000000000000000-mapping.dmp

memory/1848-180-0x0000000000000000-mapping.dmp

memory/1684-181-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

MD5 76ebe5fd077a62161d0ab560208b9f94
SHA1 614c218d35ba531f0bad791d52e5dcf57df5c742
SHA256 f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b
SHA512 baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

MD5 76ebe5fd077a62161d0ab560208b9f94
SHA1 614c218d35ba531f0bad791d52e5dcf57df5c742
SHA256 f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b
SHA512 baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

C:\Users\Admin\AppData\Local\Temp\killself.bat

MD5 c2ac85b000427a4a00f19da237aaaf86
SHA1 459ecb5e64576348e6c654724e87825772c06ea8
SHA256 b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352
SHA512 e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

memory/2580-185-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

MD5 76ebe5fd077a62161d0ab560208b9f94
SHA1 614c218d35ba531f0bad791d52e5dcf57df5c742
SHA256 f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b
SHA512 baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde