Analysis Overview
SHA256
3c77c16ee21ff2f584b1eb5df4882976a934d50d1d4e0886b98bf4d33fe1dccc
Threat Level: Known bad
The file 3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exe was found to be: Known bad.
Malicious Activity Summary
Registers COM server for autorun
RMS
Drops file in Drivers directory
Executes dropped EXE
Blocklisted process makes network request
UPX packed file
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Enumerates connected drives
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious behavior: SetClipboardViewer
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-14 20:09
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-14 20:09
Reported
2022-05-14 20:11
Platform
win7-20220414-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
RMS
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows10\lockscr.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows10\lockscr.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2022-05.html | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows10\lockscr.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\printer.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\printer.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\drvinstaller32.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\6c1598.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6c1596.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6c1596.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6c1594.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5E6D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6c1594.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI575B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728\RMS | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\ProductName = "Remote Manipulator System - Host" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\PackageCode = "B39B0F2EBB537BF46A58ECBDE554B477" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Version = "117436076" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\ProductIcon = "C:\\Windows\\Installer\\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\AuthorizedLUAApp = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RMS_{C19616D5-41F0-4293-B9CE-C1CD75BD3885}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728\monitor_driver | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\PackageName = "host.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RMS_{C19616D5-41F0-4293-B9CE-C1CD75BD3885}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net\2 = "C:\\ProgramData\\Remote Manipulator System\\msi\\69110_{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\B4A3085EB4A56F447A9588F26BDA9728 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exe
"C:\Users\Admin\AppData\Local\Temp\3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RMS_{C19616D5-41F0-4293-B9CE-C1CD75BD3885}\host.msi" /qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5EA759CEF81BC2F5494EE9F1120E27D9
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\RMS_{C19616D5-41F0-4293-B9CE-C1CD75BD3885}\host.msi"
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t2.symcb.com | udp |
| DE | 23.37.43.27:80 | t2.symcb.com | tcp |
| US | 8.8.8.8:53 | tl.symcd.com | udp |
| DE | 23.37.43.27:80 | tl.symcd.com | tcp |
| US | 8.8.8.8:53 | mail.hosting.reg.ru | udp |
| RU | 31.31.194.65:587 | mail.hosting.reg.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| RU | 109.234.156.179:5655 | tcp |
Files
memory/112-54-0x0000000076191000-0x0000000076193000-memory.dmp
memory/1760-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RMS_{C19616D5-41F0-4293-B9CE-C1CD75BD3885}\host.msi
| MD5 | bac7724f2bb43c352494c77bc99d3e5c |
| SHA1 | f440a950e53adad76238db2e084374fc74a5711b |
| SHA256 | a5a34195a4db94f212535d5182a044d74fe67b31a3e50d7d26148e6d1a103793 |
| SHA512 | 1e7e85915293db5c9ee9dc27604d1f9c83ad66aec28aa82544d29f2ee4ffca72349c0b828a17fe1b08fab206b3695ce7072227ded23bb315db6f663e93427b1d |
memory/1392-58-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp
memory/760-59-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI575B.tmp
| MD5 | 52185b209cfdb02d88b4a40a4bdf0911 |
| SHA1 | aa35fedfeefbee93bcca5a30feed8d240e2d1c95 |
| SHA256 | 756543551f27e9450dcf0ffdd10cd44af6fd0e8dbca037dee5b575683d5a9492 |
| SHA512 | 8493e1996b6038bcb49fbce539c8ec8d6b8f86cf5aff4dc9870f66d77f179ae06e0539e06046a03a64a3e29c6b3693b83bf4c5a3d7dae2f989d1e8320d963cb3 |
\Windows\Installer\MSI575B.tmp
| MD5 | 52185b209cfdb02d88b4a40a4bdf0911 |
| SHA1 | aa35fedfeefbee93bcca5a30feed8d240e2d1c95 |
| SHA256 | 756543551f27e9450dcf0ffdd10cd44af6fd0e8dbca037dee5b575683d5a9492 |
| SHA512 | 8493e1996b6038bcb49fbce539c8ec8d6b8f86cf5aff4dc9870f66d77f179ae06e0539e06046a03a64a3e29c6b3693b83bf4c5a3d7dae2f989d1e8320d963cb3 |
memory/1712-63-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
memory/632-66-0x0000000000000000-mapping.dmp
\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\ProgramData\Remote Manipulator System\install.log
| MD5 | 255e7108cdb0fbd90c11b7cc92f9bd6d |
| SHA1 | f3127257f7e6d39623ce21bb191dd5f2926c3765 |
| SHA256 | b420934cf8b24afb92337f377025e6d5e6517115141952842e66f3c339e9a031 |
| SHA512 | f83219f17ff2d90e1d52f5ba814c02997f9ffe7bc3f2c929d1c7304d2e1efe1b2a8d632aa34c74b476ca71ec966883a46f8713c76e73d9ec735e2871e33b1efd |
memory/1728-74-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
memory/1976-79-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
C:\ProgramData\Remote Manipulator System\install.log
| MD5 | 5814286372e039969ef452ef49300593 |
| SHA1 | 00084d0c9a681544050e000bfb703a18fb597107 |
| SHA256 | ebdbf20e78eff182067c44abc40cb6df818b64d5bc5192d1915733e5ea3d7c7b |
| SHA512 | a2eb3dbd186015c8ea933487631da2de6e758f75095a956766fa75d5d1b24dab919a107538eb183123d699ce2d86f975618153db7871729c555589896b7c5f0e |
\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg
| MD5 | 246286feb0ed55eaf4251e256d2fe47e |
| SHA1 | bc76b013918e4c1bd6dff44708a760496d8c717c |
| SHA256 | 64c70065830cc623be55c73a940aa3da57c134ee459afbd983ff17960dc57c27 |
| SHA512 | 900e670259fb3b5762c0242236ce86fcdd04300407fc4d79959edfed99bbec58b4e10048a2b9ef54e709d00717870bf09c7b5fb2f5fa3cfe844682d2bb36f12f |
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg
| MD5 | 55a0b95a1d1b7e309f2c22af82a07cc0 |
| SHA1 | 521c41e185e5b5e73cfc4e1b18646dc4ed171942 |
| SHA256 | 704a1a83d11c21717c17e6a7eb264d94a98d45a7c1aba8ebb82fafc65f4f199d |
| SHA512 | 38e3a8392f84cd31b9eb12ce4fa7ed04db29f4fe4de95e52f18cdc6e7c74a0b2673d15ab40802bf289ed3a1e83526827b012ceddbb309f40c5302547ce39f5f9 |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll
| MD5 | 1ea62293ac757a0c2b64e632f30db636 |
| SHA1 | 8c8ac6f8f28f432a514c3a43ea50c90daf66bfba |
| SHA256 | 970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df |
| SHA512 | 857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll
| MD5 | 89770647609ac26c1bbd9cf6ed50954e |
| SHA1 | 349eed120070bab7e96272697b39e786423ac1d3 |
| SHA256 | 7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4 |
| SHA512 | a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc |
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll
| MD5 | d29f7070ee379544aeb19913621c88e6 |
| SHA1 | 499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be |
| SHA256 | 654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf |
| SHA512 | 4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll
| MD5 | 7a9eeac3ceaf7f95f44eb5c57b4db2e3 |
| SHA1 | be1048c254aa3114358f76d08c55667c4bf2d382 |
| SHA256 | b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88 |
| SHA512 | b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll
| MD5 | 5308b9945e348fbe3a480be06885434c |
| SHA1 | 5c3cb39686cca3e9586e4b405fc8e1853caaf8ff |
| SHA256 | 9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a |
| SHA512 | 4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412 |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
memory/1972-99-0x0000000000000000-mapping.dmp
memory/1608-98-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
memory/616-104-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-14 20:09
Reported
2022-05-14 20:11
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
RMS
Registers COM server for autorun
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\SET5EB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SET5EB.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\lockscr.sys | C:\Windows\system32\DrvInst.exe | N/A |
Executes dropped EXE
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\SET1A6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\SET1A6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\SET1B6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\lockscr.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\SET1C7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.PNF | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache | C:\Windows\system32\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF | C:\Windows\system32\dxdiag.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\SET1B6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val | C:\Windows\system32\dxdiag.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\lockscr.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\SET1C7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3ea75a4d-e676-fa49-b7ac-b3e54ce21b69}\lockscr.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\English.lg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2022-05.html | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.cat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.gpd | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\printer.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\printer.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows10\lockscr.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\rppd.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.lng | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\drvinstaller32.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2022-05.html | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| File created | C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e56de5e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE38F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE5C2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_start_C00864331B9D4391A8A26292A601EBE2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{E5803A4B-5A4B-44F6-A759-882FB6AD7982} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e56de61.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\ARPPRODUCTICON.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\e56de5e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dxdiag.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectInput = "1" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\wave:{35DF7502-D721-41B0-BD33-34D8541AEA09}\ClassManagerFlags = "2" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A762-90C8-11D0-BD43-00A0C911CE86} | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectInput\MostRecentApplication\Name = "DXDIAG.EXE" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\7CCITT u-Law\CLSID = "{6A08CF80-0E18-11CF-A24D-0020AFD79767}" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Microsoft GS Wavetable Synth\FilterData = 02000000000020000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000006d69647300001000800000aa00389b7100000000000000000000000000000000 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\wave:{5B4C7196-AF73-45D8-A9D7-79DEB8F6115E}\FilterData = 02000000000020000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b7100000000000000000000000000000000 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\DirectSound:{5B4C7196-AF73-45D8-A9D7-79DEB8F6115E}\FriendlyName = "DirectSound: Speakers (High Definition Audio Device)" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\7CCITT u-Law\AcmId = "7" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device\CLSID = "{79376820-07D0-11CF-A24D-0020AFD79767}" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectInput\MostRecentApplication | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectInput\MostRecentApplication\Version = 00080000 | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\17IMA ADPCM\FriendlyName = "IMA ADPCM" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\wave:{35DF7502-D721-41B0-BD33-34D8541AEA09}\FilterData = 02000000000020000000000000000000 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\DirectSound:{5B4C7196-AF73-45D8-A9D7-79DEB8F6115E}\CLSID = "{79376820-07D0-11CF-A24D-0020AFD79767}" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Microsoft GS Wavetable Synth | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device\FilterData = 0200000000008000010000000000000030706933020000000000000013000000000000000000000030747933000000005801000068010000317479330000000058010000780100003274793300000000580100008801000033747933000000005801000098010000347479330000000058010000a8010000357479330000000058010000b8010000367479330000000058010000c8010000377479330000000058010000d8010000387479330000000058010000e8010000397479330000000058010000f80100003a7479330000000058010000080200003b7479330000000058010000180200003c7479330000000058010000280200003d7479330000000058010000380200003e7479330000000058010000480200003f7479330000000058010000580200004074793300000000580100006802000041747933000000005801000078020000427479330000000058010000880200006175647300001000800000aa00389b710100000000001000800000aa00389b710900000000001000800000aa00389b710300000000001000800000aa00389b714902000000001000800000aa00389b714002000000001000800000aa00389b714102000000001000800000aa00389b7103000000ea0c1000800000aa00389b7104000000ea0c1000800000aa00389b7105000000ea0c1000800000aa00389b7106000000ea0c1000800000aa00389b7108000000ea0c1000800000aa00389b7109000000ea0c1000800000aa00389b710a000000ea0c1000800000aa00389b710b000000ea0c1000800000aa00389b710c000000ea0c1000800000aa00389b710d000000ea0c1000800000aa00389b710800000000001000800000aa00389b719200000000001000800000aa00389b716401000000001000800000aa00389b71 | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectX Diagnostic Tool | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RMS_{533D1202-7B67-4EAB-BF16-C89E41C7B8CA}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\AuthorizedLUAApp = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Language = "1049" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\B4A3085EB4A56F447A9588F26BDA9728 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\ProductName = "Remote Manipulator System - Host" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net\2 = "C:\\ProgramData\\Remote Manipulator System\\msi\\69110_{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RMS_{533D1202-7B67-4EAB-BF16-C89E41C7B8CA}\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-18\{8845C419-FBC3-4657-9353-16D33AD17349} | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728\monitor_driver | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\ProductIcon = "C:\\Windows\\Installer\\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\\ARPPRODUCTICON.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\PackageCode = "B39B0F2EBB537BF46A58ECBDE554B477" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Version = "117436076" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\PackageName = "host.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" | C:\Windows\system32\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\system32\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728\RMS | C:\Windows\system32\msiexec.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exe
"C:\Users\Admin\AppData\Local\Temp\3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RMS_{533D1202-7B67-4EAB-BF16-C89E41C7B8CA}\host.msi" /qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6A698B79C724D0B16E179CE9BF2148EA
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\RMS_{533D1202-7B67-4EAB-BF16-C89E41C7B8CA}\host.msi"
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -dispinstall
C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe" -dispinstall
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "c:\program files (x86)\remote manipulator system - host\monitor\x64\windows10\lockscr.inf" "9" "4351f1d4b" "0000000000000150" "WinSta0\Default" "0000000000000148" "208" "c:\program files (x86)\remote manipulator system - host\monitor\x64\windows10"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "DISPLAY\RHT1234\4&27B1E55B&0&UID0" "C:\Windows\INF\oem2.inf" "oem2.inf:ed86ca116f85e4ac:Driver_DDI:16.10.46.576:*pnp09ff," "4351f1d4b" "0000000000000150"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
C:\Windows\system32\dxdiag.exe
"C:\Windows\system32\dxdiag.exe" /whql:off /x "C:\Windows\Temp\dxdig_{2B84D3D0-B664-4455-9F48-0318D0462FE8}.xml"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | t2.symcb.com | udp |
| DE | 23.37.43.27:80 | t2.symcb.com | tcp |
| US | 8.8.8.8:53 | tl.symcd.com | udp |
| DE | 23.37.43.27:80 | tl.symcd.com | tcp |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | t2.symcb.com | udp |
| SE | 23.52.27.27:80 | t2.symcb.com | tcp |
| US | 8.8.8.8:53 | tl.symcd.com | udp |
| SE | 23.52.27.27:80 | tl.symcd.com | tcp |
| US | 52.168.117.170:443 | tcp | |
| US | 8.8.8.8:53 | mail.hosting.reg.ru | udp |
| RU | 31.31.194.65:587 | mail.hosting.reg.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| RU | 109.234.156.179:5655 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp |
Files
memory/2460-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RMS_{533D1202-7B67-4EAB-BF16-C89E41C7B8CA}\host.msi
| MD5 | bac7724f2bb43c352494c77bc99d3e5c |
| SHA1 | f440a950e53adad76238db2e084374fc74a5711b |
| SHA256 | a5a34195a4db94f212535d5182a044d74fe67b31a3e50d7d26148e6d1a103793 |
| SHA512 | 1e7e85915293db5c9ee9dc27604d1f9c83ad66aec28aa82544d29f2ee4ffca72349c0b828a17fe1b08fab206b3695ce7072227ded23bb315db6f663e93427b1d |
memory/2908-132-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSIE38F.tmp
| MD5 | 52185b209cfdb02d88b4a40a4bdf0911 |
| SHA1 | aa35fedfeefbee93bcca5a30feed8d240e2d1c95 |
| SHA256 | 756543551f27e9450dcf0ffdd10cd44af6fd0e8dbca037dee5b575683d5a9492 |
| SHA512 | 8493e1996b6038bcb49fbce539c8ec8d6b8f86cf5aff4dc9870f66d77f179ae06e0539e06046a03a64a3e29c6b3693b83bf4c5a3d7dae2f989d1e8320d963cb3 |
C:\Windows\Installer\MSIE38F.tmp
| MD5 | 52185b209cfdb02d88b4a40a4bdf0911 |
| SHA1 | aa35fedfeefbee93bcca5a30feed8d240e2d1c95 |
| SHA256 | 756543551f27e9450dcf0ffdd10cd44af6fd0e8dbca037dee5b575683d5a9492 |
| SHA512 | 8493e1996b6038bcb49fbce539c8ec8d6b8f86cf5aff4dc9870f66d77f179ae06e0539e06046a03a64a3e29c6b3693b83bf4c5a3d7dae2f989d1e8320d963cb3 |
memory/1364-135-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
memory/4032-137-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\ProgramData\Remote Manipulator System\install.log
| MD5 | 40b59b2269e652084f78c15cbbc0326c |
| SHA1 | 087def8776189eefb11fbdafd241880c04c5a63a |
| SHA256 | 213b7685dec20d680800a0cd136faeb4506ac936d724a2690dba67b8c83f2430 |
| SHA512 | 58a9abaaea8dc1d0c363207740b0218741aba6c5622bea5ffa3601db3e7333dd6bd18fd1526215139d2cd0714767961ca8d688781f04057dfbdc53beb6226d8a |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
memory/1664-144-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe
| MD5 | 72076f4aae15dd34c572e8e151c261e6 |
| SHA1 | 4c9a495e24a3d2d95f89b6b9bf908de3e7b82928 |
| SHA256 | 588e5a448742a6bbe8536463b072a424ca3e7a88a212d7fa92618b2620826db6 |
| SHA512 | 7ad67ca63a84b4977b98ad26922154aad798e8518e93a8c57bb5f0803e96252fe6c8646d6dad53dc81abdbed114b16d4e25beeae7050ab835f38b7ece7472572 |
memory/3128-149-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe
| MD5 | 72076f4aae15dd34c572e8e151c261e6 |
| SHA1 | 4c9a495e24a3d2d95f89b6b9bf908de3e7b82928 |
| SHA256 | 588e5a448742a6bbe8536463b072a424ca3e7a88a212d7fa92618b2620826db6 |
| SHA512 | 7ad67ca63a84b4977b98ad26922154aad798e8518e93a8c57bb5f0803e96252fe6c8646d6dad53dc81abdbed114b16d4e25beeae7050ab835f38b7ece7472572 |
\??\c:\program files (x86)\remote manipulator system - host\monitor\x64\windows10\lockscr.inf
| MD5 | 49ad0d7c46ac85407b40701d0d205aa8 |
| SHA1 | d1a359d7aacfa04424bdda9ba49c81eb248799e3 |
| SHA256 | ca1ff261a0884cb5e9203ef6e2ccc67be6bad06c8af705cb2a17d717ecd6207a |
| SHA512 | 4fffa5ad19c2d4f29ff410f00fbed2f411e93a4941cd2c17deafb62cf08b2ddd18af7a6b88e8ba28524bc4ca05cea432c873058d93dcb24cabaf1f1bdc0c469d |
\??\c:\program files (x86)\remote manipulator system - host\monitor\x64\windows10\lockscr.cat
| MD5 | 12a7f47c90e918b41ce04c9bcb51359a |
| SHA1 | 33aed70fa4741248d38f9470bab68fc67feb970c |
| SHA256 | 4e7afd7f1ee3926742d10502879576e3dfe132c558c9c3c833df715a49fa2f3a |
| SHA512 | 32620cdc862beb166aecd3622457c311b28bf447c1fe83bf546aa507bf2cf6a1911da881d6c4e655df7d38617a67c535af7e36ac1021ada9b97e0b6623a48733 |
memory/3576-153-0x0000000000000000-mapping.dmp
\??\c:\PROGRA~2\REMOTE~1\monitor\x64\WINDOW~1\lockscr.sys
| MD5 | 32870cbf933826df5160b176b54293e6 |
| SHA1 | 367afde56b570dc5cb0ea9387749fe793a4ababd |
| SHA256 | 486ddc8e9aa5b4e5cd166c5b326edfd682554c10ff0f31eb2feaaa2e479f5389 |
| SHA512 | 8405045707a4d6a17004c904aa5d6ecc448cadcd339bf8f7acea2fa91d29b02378ec158321c3e8450a958345ba96ed385a19e19fd15189fa2c15dd5a5d1ae682 |
C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.inf
| MD5 | 49ad0d7c46ac85407b40701d0d205aa8 |
| SHA1 | d1a359d7aacfa04424bdda9ba49c81eb248799e3 |
| SHA256 | ca1ff261a0884cb5e9203ef6e2ccc67be6bad06c8af705cb2a17d717ecd6207a |
| SHA512 | 4fffa5ad19c2d4f29ff410f00fbed2f411e93a4941cd2c17deafb62cf08b2ddd18af7a6b88e8ba28524bc4ca05cea432c873058d93dcb24cabaf1f1bdc0c469d |
memory/4188-156-0x0000000000000000-mapping.dmp
C:\Windows\INF\oem2.inf
| MD5 | 49ad0d7c46ac85407b40701d0d205aa8 |
| SHA1 | d1a359d7aacfa04424bdda9ba49c81eb248799e3 |
| SHA256 | ca1ff261a0884cb5e9203ef6e2ccc67be6bad06c8af705cb2a17d717ecd6207a |
| SHA512 | 4fffa5ad19c2d4f29ff410f00fbed2f411e93a4941cd2c17deafb62cf08b2ddd18af7a6b88e8ba28524bc4ca05cea432c873058d93dcb24cabaf1f1bdc0c469d |
C:\Windows\System32\DriverStore\FileRepository\LOCKSC~1.INF\lockscr.sys
| MD5 | 32870cbf933826df5160b176b54293e6 |
| SHA1 | 367afde56b570dc5cb0ea9387749fe793a4ababd |
| SHA256 | 486ddc8e9aa5b4e5cd166c5b326edfd682554c10ff0f31eb2feaaa2e479f5389 |
| SHA512 | 8405045707a4d6a17004c904aa5d6ecc448cadcd339bf8f7acea2fa91d29b02378ec158321c3e8450a958345ba96ed385a19e19fd15189fa2c15dd5a5d1ae682 |
memory/5024-159-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
memory/5000-163-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
C:\ProgramData\Remote Manipulator System\install.log
| MD5 | e07378e62da757c8c5491518335a9a83 |
| SHA1 | fe9d1624743a68f033d3c368fcca275323dc2db2 |
| SHA256 | bf395c5311c22ef03cf7a7d4dda368a9510e941bdf89206ca2cdbf44e113f732 |
| SHA512 | e25ff69acdee78850d41deb60870ce057487243b457a0d30890c5a562c3e36d456a34abd8bf861b5895971eb0766d441b2b659bd332abc1d3a43d4749d22b95a |
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
| MD5 | 55d66bd554511f803bebead2bd1bfde0 |
| SHA1 | 34d8176565909b7b756d92a32cd8a50185f998f1 |
| SHA256 | decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd |
| SHA512 | cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll
| MD5 | 5308b9945e348fbe3a480be06885434c |
| SHA1 | 5c3cb39686cca3e9586e4b405fc8e1853caaf8ff |
| SHA256 | 9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a |
| SHA512 | 4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412 |
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll
| MD5 | 7a9eeac3ceaf7f95f44eb5c57b4db2e3 |
| SHA1 | be1048c254aa3114358f76d08c55667c4bf2d382 |
| SHA256 | b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88 |
| SHA512 | b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d |
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll
| MD5 | d29f7070ee379544aeb19913621c88e6 |
| SHA1 | 499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be |
| SHA256 | 654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf |
| SHA512 | 4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5 |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll
| MD5 | 89770647609ac26c1bbd9cf6ed50954e |
| SHA1 | 349eed120070bab7e96272697b39e786423ac1d3 |
| SHA256 | 7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4 |
| SHA512 | a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc |
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll
| MD5 | 1ea62293ac757a0c2b64e632f30db636 |
| SHA1 | 8c8ac6f8f28f432a514c3a43ea50c90daf66bfba |
| SHA256 | 970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df |
| SHA512 | 857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab |
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg
| MD5 | 55a0b95a1d1b7e309f2c22af82a07cc0 |
| SHA1 | 521c41e185e5b5e73cfc4e1b18646dc4ed171942 |
| SHA256 | 704a1a83d11c21717c17e6a7eb264d94a98d45a7c1aba8ebb82fafc65f4f199d |
| SHA512 | 38e3a8392f84cd31b9eb12ce4fa7ed04db29f4fe4de95e52f18cdc6e7c74a0b2673d15ab40802bf289ed3a1e83526827b012ceddbb309f40c5302547ce39f5f9 |
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg
| MD5 | 246286feb0ed55eaf4251e256d2fe47e |
| SHA1 | bc76b013918e4c1bd6dff44708a760496d8c717c |
| SHA256 | 64c70065830cc623be55c73a940aa3da57c134ee459afbd983ff17960dc57c27 |
| SHA512 | 900e670259fb3b5762c0242236ce86fcdd04300407fc4d79959edfed99bbec58b4e10048a2b9ef54e709d00717870bf09c7b5fb2f5fa3cfe844682d2bb36f12f |
memory/1324-180-0x0000000000000000-mapping.dmp
memory/4200-181-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
memory/2288-184-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
| MD5 | cd97f125a6462574065fd1e3854f9d7f |
| SHA1 | fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f |
| SHA256 | b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2 |
| SHA512 | 5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24 |
memory/1964-186-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx
| MD5 | 32f964b7fbe1013f7a2cebd890947b2a |
| SHA1 | 39ff0fe62da9c5ccf36facc05ed4f6ff7b8dd847 |
| SHA256 | 10fe637f634a5c4ae37107ae048eb956d9a51abc73d723798693040a1f92e097 |
| SHA512 | 5531d93ddde06543da5737b455d3ed30a85cc6ae2aa8e6eb12c006f6e8f7b4e1fadbf2276a6950938c2370649c677965339d629ad3aa6a46bfb38d93bf91e0d2 |
C:\Windows\Temp\dxdig_{2B84D3D0-B664-4455-9F48-0318D0462FE8}.xml
| MD5 | 431d6b176842204dc6f4a9ba24406bdf |
| SHA1 | f142e81bd3bd39bfcce7cc125a8680ae767a8404 |
| SHA256 | 2faa41f5fc10f0adb72a74c6671632e4ccc5aafb2a95d154c73df84312a31267 |
| SHA512 | eeeb9d70ce1a49c83c11df77a0069b0b2bf55b3d1ecac01f627f45ad71e0084cb9e63783e59be5659e55eba8ec4e87578221efe9dd6dba61230497aeeae90dde |