Malware Analysis Report

2024-11-15 08:39

Sample ID 220419-eq9sasbbcl
Target $77_loader.exe
SHA256 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
Tags
rms discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

Threat Level: Known bad

The file $77_loader.exe was found to be: Known bad.

Malicious Activity Summary

rms discovery evasion persistence rat trojan

RMS

Sets file execution options in registry

Executes dropped EXE

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Enumerates connected drives

Modifies powershell logging option

Modifies WinLogon

Checks installed software on the system

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Gathers network information

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-19 04:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-19 04:09

Reported

2022-04-19 04:12

Platform

win7-20220414-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"

Signatures

RMS

trojan rat rms

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Sets file execution options in registry

persistence

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A

Modifies powershell logging option

evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\English.lg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\6de478.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3339.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SoftwareDistribution\config.xml C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\config.xml C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6de476.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6de476.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6de478.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI25C0.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6de47a.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3.4ru_mod_mod.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
N/A N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1672 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1672 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1752 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1752 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1752 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1672 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\chcp.com
PID 1672 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\chcp.com
PID 1672 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\chcp.com
PID 1672 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\NETSTAT.EXE
PID 1672 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Windows\system32\netsh.exe
PID 1672 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1672 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1672 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1672 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\$77_loader.exe C:\Users\Admin\AppData\Local\Temp\RMS.exe
PID 1704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1704 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RMS.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 1648 wrote to memory of 1656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1648 wrote to memory of 1656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1648 wrote to memory of 1656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1648 wrote to memory of 1656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1648 wrote to memory of 1656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1648 wrote to memory of 1656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1648 wrote to memory of 1656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1648 wrote to memory of 1556 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 1648 wrote to memory of 1556 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 1648 wrote to memory of 1556 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 1648 wrote to memory of 1556 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 1648 wrote to memory of 1712 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
PID 1648 wrote to memory of 1712 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$77_loader.exe

"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\emin3iva.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC56E.tmp"

C:\Windows\system32\chcp.com

"C:\Windows\system32\chcp.com" 437

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\NETSTAT.EXE

"C:\Windows\system32\NETSTAT.EXE" -na

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy reset

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" interface portproxy show all

C:\Users\Admin\AppData\Local\Temp\RMS.exe

"C:\Users\Admin\AppData\Local\Temp\RMS.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi" /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A8A1030EB6DCD985305E0E8F2724AD46

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 msupdate.info udp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 msupdate.info udp
LT 5.133.65.53:443 msupdate.info tcp
LT 5.133.65.53:80 msupdate.info tcp
N/A 127.0.0.1:999 tcp
N/A 127.0.0.1:999 tcp
N/A 127.0.0.1:999 tcp
N/A 127.0.0.1:5650 tcp
RU 77.247.243.43:5655 tcp
LT 5.133.65.53:5655 msupdate.info tcp
LT 5.133.65.53:443 msupdate.info tcp

Files

memory/1672-55-0x0000000000B70000-0x0000000000B72000-memory.dmp

memory/1672-54-0x000007FEF38B0000-0x000007FEF4946000-memory.dmp

memory/1672-56-0x000007FEF2BC0000-0x000007FEF371D000-memory.dmp

memory/1752-57-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\emin3iva.cmdline

MD5 c48e61fcff6e180ea2b5cf1f2f1b8127
SHA1 018cec77e80be40eb60b0e5a192d5eb097b4cc7e
SHA256 03756f486c34a4d88f09cccac8366ab4b7a34fc4f534467036cd3a2c0d18df3e
SHA512 7c8a017a5f46429cbf0bdf10d801fec6f765d24102ddd6936785e02113040e0ff2ffa9e130e5258e5db2b7d546c94141d74acf67adbf106937510ab82a0020b6

\??\c:\Users\Admin\AppData\Local\Temp\emin3iva.0.cs

MD5 1640a04633fee0dfdc7e22c4f4063bf6
SHA1 3cb525c47b5dd37f8ee45b034c9452265fba5476
SHA256 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA512 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

memory/1340-60-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC56E.tmp

MD5 0efee21fec57eb710313af57a33cd5f5
SHA1 9ac02a94785e46d42ee4e55912cddd46b98847aa
SHA256 3bf26a60321c00838d0cb16dc6c6cf02add5f0b5436238d856473b3ebad70e85
SHA512 234ebb165a972ae2aab6a8b47fc8b5a21b6b1577b72303a9e88cf5f255663767ac21856c5a58f326400ef549a93691143ef81ed1f4a1d48cd882b2fd621982ca

C:\Users\Admin\AppData\Local\Temp\emin3iva.pdb

MD5 77e541f2be743b816a042f5313d4196c
SHA1 eac2b85244a0c8aad387792ee599a3fe3b38e6af
SHA256 9bf32df3bf7fd36b88b164139ccbd80d2645036910c1fde1eb1d7e1381565b03
SHA512 8340fee56d8cbe2d2a76e49083c0ae2ce3aa794172d1e2457b3cfdb4bdaffe847b1bb275948882c0feb3579a20c7434ad7e89302bb53ded3f3b3fd4b60a4b650

C:\Users\Admin\AppData\Local\Temp\emin3iva.dll

MD5 835aada007085db85f7fa80554a640a1
SHA1 9716caf366e9e53956f06534172cf2f0e553f1c1
SHA256 1b19f54545a91180c2f9baa4003db214d0715f19e1e11d0bfdcf02df22450bfe
SHA512 0e7307082e061b2bffd70977fbb17debbd4a801b5b487c4bac96bc970c7e7768b8801092adbf2622418de103434d3c57f1418c115543ffac86495b6be016b8a1

C:\Users\Admin\AppData\Local\Temp\RES56F.tmp

MD5 303299e52ac1904df9ed13f4e5baa254
SHA1 a59d15be7f983e16bbb7ebdee3a34001031bccb3
SHA256 6deeaa1fcec97f204482855007762cc637846fb9c1c1bdd595bbc7ce3132a64a
SHA512 94570889e876e4c3a75f507a9df055a61a9172acc8db6a14c28854be6f84f9a3ed07fb4df5ddc011bda6186ecdb800750a087db9035584155ce7ab83084f76d1

memory/1116-65-0x0000000000000000-mapping.dmp

memory/2012-66-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp

memory/1036-67-0x0000000000000000-mapping.dmp

memory/1876-69-0x0000000000000000-mapping.dmp

memory/1052-70-0x0000000000000000-mapping.dmp

memory/1272-71-0x0000000000000000-mapping.dmp

memory/2004-72-0x0000000000000000-mapping.dmp

memory/1580-74-0x0000000000000000-mapping.dmp

memory/1268-76-0x0000000000000000-mapping.dmp

memory/932-78-0x0000000000000000-mapping.dmp

memory/1672-80-0x0000000000B9D000-0x0000000000B9F000-memory.dmp

memory/1672-81-0x000000001B4C0000-0x000000001B4D9000-memory.dmp

memory/1704-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RMS.exe

MD5 cb2ffac2a251378cda3f91cd613f453d
SHA1 3a028761638f5aa93b0719c5650c83a138e8abc9
SHA256 10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e
SHA512 1d203540fde5074f0d57e1ecbd9af2ee862b940f8fb58c3e55ad9db5ba029aff82a4468eee24c760b5e55cc96e61244af0fd6f3c46db857824e13e45ec1e802f

memory/1704-84-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RMS.exe

MD5 cb2ffac2a251378cda3f91cd613f453d
SHA1 3a028761638f5aa93b0719c5650c83a138e8abc9
SHA256 10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e
SHA512 1d203540fde5074f0d57e1ecbd9af2ee862b940f8fb58c3e55ad9db5ba029aff82a4468eee24c760b5e55cc96e61244af0fd6f3c46db857824e13e45ec1e802f

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

memory/1652-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi

MD5 998f9b9eefeddbfc898356139220bab3
SHA1 324bb9170598a73ce7f1359da7a35a6065f22f8e
SHA256 0230d36dc995c5fa25b6dd3f33c670fdf5f06c014a0b2d1012c064d733e9d81c
SHA512 efea0f628fca55733a29cd6c05aab11b8b4e49153d9ae94340daa00e5cb47f1ce4c2c2a3d9fea6108205fcb3a13ca13a4d533f47c561e8785f529d58c95f08e7

memory/980-92-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3009b10641a1f07361fa4c152bff89d
SHA1 1338aa8040fe8dbf740b54b3750ede4883301b9d
SHA256 4900c08c7de13ceac616639ab6dd2efad1f9e50d51c7ab11d7e72dff02dcefe2
SHA512 ae13c7096b18aebf0df94fe5807054e9b3e680ce922e3e1f5dd034259f9f023c5e078a406f2be55ec691929975d4b321311f97a942a7a3cff9d8e2141a3efa6b

memory/1656-95-0x0000000000000000-mapping.dmp

\Windows\Installer\MSI25C0.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

C:\Windows\Installer\MSI25C0.tmp

MD5 b0bcc622f1fff0eec99e487fa1a4ddd9
SHA1 49aa392454bd5869fa23794196aedc38e8eea6f5
SHA256 b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA512 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

memory/1556-99-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 c9704931d887685d96ce92d637d84045
SHA1 0875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA256 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA512 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

memory/1712-103-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 18b075903b5d704092e823b234f0f0b9
SHA1 fe67c8e18d9b3e2e82880361e7755a3925724887
SHA256 f8fb12f07ec2d36134c1eb506aace6c0ba00791c6174708b75c5e82aef4d3b54
SHA512 c573d9b1e74c382ee9d391e0a149223862ea06ba5f64b4f838df36c4e92796309d6f772d56655db1939749048a6e6fb3f65d3567cbfb05f88ccf4ff61c7eed0a

memory/1636-106-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 7bcba183b64df175894322d7d19a661b
SHA1 d147ed772cc0d892a03ffd208c60dd2b368e7668
SHA256 ec43efdab1e8224ebe4dab02c38754f5ae3e1cb0c6e5fffb290de3a243bf806a
SHA512 980383cc07e77b69c1c0e867653222130c33989ec631af48618428469017a2c5ac1b8e1aeeea9e0ac4dfeb72da25396bc1a66e8bd16c70e2fb05ae7e8efc2edb

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

MD5 12f607ab70576915c89c21c00eafeb1f
SHA1 8d1321f0f668555b1c34b7c40e66e5e9fbf1cf59
SHA256 39a61771d4f91ec8b2afefb76325bf77d058fe2386b6baf01ce881de178bd1bd
SHA512 3b911d037871bfc34a1871921112532820b08e271363085e61323b27dca80f72003f69691b6e87fc8cdc71547fecfe6861039485d9dfb6d60a1c042f93e5cfca

memory/1960-111-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

MD5 997abd06435231a029c6ec87560922ba
SHA1 e9471ae100a145a1e7f54f44292c62801a78ed63
SHA256 9a278ab6d9d4fe6dcb2c47e7f4db3a9f77f02b75b71a18d5da4c1d94a44ae5e7
SHA512 9cc44ad7bad6d0e037cf01a3d1954a20dcd791aea546e75c11b5de91d739b131f91d1b99317c749be83ae9975cd5ffdfa0a0c3bfde53a2ffc83c3f67a25b6e56

C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

MD5 9a0e4f39d2cd554fc1d53bdddbf125ab
SHA1 576cb38657fd0eb5443b0768e1da5c24ab92b81a
SHA256 4225ee30a1b834ab23b8d2f9833d61480ea00f1fc015b6aeb001cce5095c1cfb
SHA512 c57b5a267256476d6a7a1bb671bc817c65a1ad0097b563c8d6d4184b41388a089b19af44030c147270204b6a29e042939e6dcafa3bae2adbfa9212719bab1c32

C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

MD5 eeb2c52abbc7eb1c029b7fec45a7f22e
SHA1 8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61
SHA256 c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c
SHA512 0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

MD5 038bf9f3a58560ad1130eeb85cdc1a87
SHA1 3571eb7293a2a3a5bf6eb21e1569cd151d995d1a
SHA256 d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d
SHA512 8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

MD5 37b1cc9d44de7e1f52e4224f8708fdc8
SHA1 6f123077b584c4632570dc296bcd2dc42b25a1ac
SHA256 0cad23e14eb05860ee78cf54447a4876c9bfefbb6b6f98b36fe5a7882276096b
SHA512 6db8b9663cbfb2a1d414ea862ca01901a79c18d888de7ceb339125012dcc22e58e50085bcd9ea40b8d3f74206b050e32b59ffd98a6c72bbf3a478697c6192bb9

C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

MD5 292a1748850d1fdc91d4ec23b02d6902
SHA1 8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d
SHA256 acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f
SHA512 cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

MD5 48ffc417a6040055054218f604ceee90
SHA1 1236baa037004b3f945ad8ff1b41f95e04007c9f
SHA256 22baf651dfb1446786129356672467c7328aecfac902ffa42326048ef9794e08
SHA512 e3e911a8c30dd4cc88c82d4bce3153f119541ae02ccf2e7a12782e3e4fd1f93ffbb831ca8a5a84631ab4a5f9eecc4ec838e6a4ebd7367105feed42524daddf1f

C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

MD5 2ddfa39f5c2fd3f00681ef2970617e4b
SHA1 8152aa18afbacf398b92168995ec8696d3fe3659
SHA256 f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791
SHA512 f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

MD5 bc25377ade68750b834c81fa71c233b8
SHA1 84dbb465dd2125f47668e2508e18af9bd6db2fd8
SHA256 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3
SHA512 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

C:\Users\Admin\AppData\Local\Temp\killself.bat

MD5 2fe7ba7d9103012d8593f220508eaf6a
SHA1 fce4c84da7d0d97b46d494b15acbcd992b04f06a
SHA256 874044e21f5b7c8a7a2286f1a5c61693515153e73c019451f32a0df1bb910708
SHA512 9fb05799d464f26097c84d4b6dbb18de6de360f62a4373849fc6c7bc7348dc0738f702bcd3dbfa3bde4e1cb9275898ee33eb03706d419d2029a4a8fd3f983678

\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

MD5 975914cee6b796471c859252956c9a51
SHA1 fca86c05aec5317ea8dd801b7a9755862d262261
SHA256 3cbf3a0bc2431dd7b89deddbcad8cfbf4ad46106104702ee36d12fdcb79e8258
SHA512 8616dd3b7e5d689e8268b610ec87f0f00e1348f6fe7bd8ef9746087fd4280cc4362448cdf7c153d5cceb796a49a4b39971154ee2ce82b1bb3144576bf2b6bb13

memory/1576-125-0x0000000000000000-mapping.dmp

\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

MD5 67b750fbb56645a789668b912f8f0f07
SHA1 99e27952d3a5c71b6e266ec143471952b7b96565
SHA256 c1c946b663130d71b25c1b278195199ba40669a82235de924172656fbd871b2a
SHA512 d0d25db7da45ac0443dbc7fb0f9c7f8b102587d6bb9060b6fb4f3ac0ab916bed70b3137ca83cac595716aff383b7cd843f760fdb158123727da92a9e7f578d71

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-19 04:09

Reported

2022-04-19 04:10

Platform

win10v2004-20220310-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A