ramnit | 280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667

Analysis

max time kernel
124s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe
Size

7.5MB
MD5

ba351f8b5c47b70eee91328f2bc2345b
SHA1

94b4eb2cbab81d9d6b2883bf96ade2cebc3157cb
SHA256

280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667
SHA512

2a80ce863e5a037d58d618a6da9ef17a1dab86f23191348e49e4985999d3fc86cb30d3ec123d43654a4637e2ec53c21204df8141768945c206806a4f1ccf5bb6
SSDEEP

196608:3XnJBzfmUJZhtsZythv8GLvm0ITvrLU/defgZE:3XnTDxr3D6jLU/w9

Score

10^/10

ramnit rms banker rat spyware stealer trojan upx worm

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1616	msiexec.exe
4	1616	msiexec.exe
6	1616	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
1252	rutserv.exe
1512	rutservSrv.exe
1708	DesktopLayer.exe
1632	rutserv.exe
1968	rutservSrv.exe
1384	rutserv.exe
1980	DesktopLayer.exe
1676	rutserv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-80-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1512-85-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1708-89-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Loads dropped DLL 12 IoCs

pid	Process
1752	MsiExec.exe
1252	rutserv.exe
1252	rutserv.exe
1252	rutserv.exe
1512	rutservSrv.exe
1512	rutservSrv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1968	rutservSrv.exe
1968	rutservSrv.exe
1384	rutserv.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	iexplore.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6874.tmp	rutservSrv.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe	rutserv.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	attrib.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll	attrib.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6390.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\6c5718.ipi	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\6c5718.ipi	msiexec.exe
File created	C:\Windows\28122008.txt	cmd.exe
File opened for modification	C:\Windows\Installer\6c5716.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\6c5716.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FF6.tmp	msiexec.exe
File created	C:\Windows\Installer\6c571a.msi	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e6070a0006001d0001000f0017003e0002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\OperationalData = "4"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 5091ede633ebd801	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e6070a0006001d0001000f000f00ea02	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e6070a0006001d0001000f000f00ab02	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e6070a0006001d0001000f001200230302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = b0294fe733ebd801	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e6070a0006001d0001000f001200330302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats	iexplore.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\1 = "DISK1;1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F21BB3D03099A4D40A267949D7A24BE4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\InstanceType = "0"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Clients = 3a0000000000	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Version = "100603060"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductIcon = "C:\\Windows\\Installer\\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\\ARPPRODUCTICON.exe"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AuthorizedLUAApp = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\LastUsedSource = "n;1;C:\\Users\\836D~1\\AppData\\Local\\Temp\\7ZipSfx.003\\"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F21BB3D03099A4D40A267949D7A24BE4\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\PackageName = "rms.host5.5ru.msi"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\F21BB3D03099A4D40A267949D7A24BE4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Language = "1049"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AdvertiseFlags = "388"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\ProductIcon = "C:\\Windows\\Installer\\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\DiskPrompt = "[1]"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net\1 = "C:\\Users\\836D~1\\AppData\\Local\\Temp\\7ZipSfx.003\\"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\Version = "100603766"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\PackageName = "rms.host5.6ru.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductName	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\PackageCode = "CA621BAB2625C4F47B0824566FC192D8"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Assignment = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\DeploymentFlags = "3"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\PackageCode = "001E4BCEB6F30B0418BA0CB49940D551"	msiexec.exe

Runs .reg file with regedit 1 IoCs

pid	Process
844	regedit.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1832	PING.EXE
1080	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1616	msiexec.exe
1616	msiexec.exe
1708	DesktopLayer.exe
1708	DesktopLayer.exe
1708	DesktopLayer.exe
1708	DesktopLayer.exe
1252	rutserv.exe
1252	rutserv.exe
1252	rutserv.exe
1252	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1384	rutserv.exe
1384	rutserv.exe
1980	DesktopLayer.exe
1980	DesktopLayer.exe
1980	DesktopLayer.exe
1980	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1328	msiexec.exe
Token: SeRestorePrivilege	1616	msiexec.exe
Token: SeTakeOwnershipPrivilege	1616	msiexec.exe
Token: SeSecurityPrivilege	1616	msiexec.exe
Token: SeCreateTokenPrivilege	1328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1328	msiexec.exe
Token: SeLockMemoryPrivilege	1328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1328	msiexec.exe
Token: SeMachineAccountPrivilege	1328	msiexec.exe
Token: SeTcbPrivilege	1328	msiexec.exe
Token: SeSecurityPrivilege	1328	msiexec.exe
Token: SeTakeOwnershipPrivilege	1328	msiexec.exe
Token: SeLoadDriverPrivilege	1328	msiexec.exe
Token: SeSystemProfilePrivilege	1328	msiexec.exe
Token: SeSystemtimePrivilege	1328	msiexec.exe
Token: SeProfSingleProcessPrivilege	1328	msiexec.exe
Token: SeIncBasePriorityPrivilege	1328	msiexec.exe
Token: SeCreatePagefilePrivilege	1328	msiexec.exe
Token: SeCreatePermanentPrivilege	1328	msiexec.exe
Token: SeBackupPrivilege	1328	msiexec.exe
Token: SeRestorePrivilege	1328	msiexec.exe
Token: SeShutdownPrivilege	1328	msiexec.exe
Token: SeDebugPrivilege	1328	msiexec.exe
Token: SeAuditPrivilege	1328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1328	msiexec.exe
Token: SeChangeNotifyPrivilege	1328	msiexec.exe
Token: SeRemoteShutdownPrivilege	1328	msiexec.exe
Token: SeUndockPrivilege	1328	msiexec.exe
Token: SeSyncAgentPrivilege	1328	msiexec.exe
Token: SeEnableDelegationPrivilege	1328	msiexec.exe
Token: SeManageVolumePrivilege	1328	msiexec.exe
Token: SeImpersonatePrivilege	1328	msiexec.exe
Token: SeCreateGlobalPrivilege	1328	msiexec.exe
Token: SeShutdownPrivilege	1404	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1404	msiexec.exe
Token: SeCreateTokenPrivilege	1404	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1404	msiexec.exe
Token: SeLockMemoryPrivilege	1404	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1404	msiexec.exe
Token: SeMachineAccountPrivilege	1404	msiexec.exe
Token: SeTcbPrivilege	1404	msiexec.exe
Token: SeSecurityPrivilege	1404	msiexec.exe
Token: SeTakeOwnershipPrivilege	1404	msiexec.exe
Token: SeLoadDriverPrivilege	1404	msiexec.exe
Token: SeSystemProfilePrivilege	1404	msiexec.exe
Token: SeSystemtimePrivilege	1404	msiexec.exe
Token: SeProfSingleProcessPrivilege	1404	msiexec.exe
Token: SeIncBasePriorityPrivilege	1404	msiexec.exe
Token: SeCreatePagefilePrivilege	1404	msiexec.exe
Token: SeCreatePermanentPrivilege	1404	msiexec.exe
Token: SeBackupPrivilege	1404	msiexec.exe
Token: SeRestorePrivilege	1404	msiexec.exe
Token: SeShutdownPrivilege	1404	msiexec.exe
Token: SeDebugPrivilege	1404	msiexec.exe
Token: SeAuditPrivilege	1404	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1404	msiexec.exe
Token: SeChangeNotifyPrivilege	1404	msiexec.exe
Token: SeRemoteShutdownPrivilege	1404	msiexec.exe
Token: SeUndockPrivilege	1404	msiexec.exe
Token: SeSyncAgentPrivilege	1404	msiexec.exe
Token: SeEnableDelegationPrivilege	1404	msiexec.exe
Token: SeManageVolumePrivilege	1404	msiexec.exe
Token: SeImpersonatePrivilege	1404	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1656	iexplore.exe
2000	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1656	iexplore.exe
1656	iexplore.exe
2000	iexplore.exe
2000	iexplore.exe
436	IEXPLORE.EXE
436	IEXPLORE.EXE
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
1512	rutservSrv.exe
1708	DesktopLayer.exe
1968	rutservSrv.exe
1980	DesktopLayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1324	1464	280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe	26
PID 1464 wrote to memory of 1324	1464	280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe	26
PID 1464 wrote to memory of 1324	1464	280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe	26
PID 1464 wrote to memory of 1324	1464	280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe	26
PID 1464 wrote to memory of 1324	1464	280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe	26
PID 1464 wrote to memory of 1324	1464	280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe	26
PID 1464 wrote to memory of 1324	1464	280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe	26
PID 1324 wrote to memory of 1328	1324	cmd.exe	28
PID 1324 wrote to memory of 1328	1324	cmd.exe	28
PID 1324 wrote to memory of 1328	1324	cmd.exe	28
PID 1324 wrote to memory of 1328	1324	cmd.exe	28
PID 1324 wrote to memory of 1328	1324	cmd.exe	28
PID 1324 wrote to memory of 1328	1324	cmd.exe	28
PID 1324 wrote to memory of 1328	1324	cmd.exe	28
PID 1324 wrote to memory of 1404	1324	cmd.exe	30
PID 1324 wrote to memory of 1404	1324	cmd.exe	30
PID 1324 wrote to memory of 1404	1324	cmd.exe	30
PID 1324 wrote to memory of 1404	1324	cmd.exe	30
PID 1324 wrote to memory of 1404	1324	cmd.exe	30
PID 1324 wrote to memory of 1404	1324	cmd.exe	30
PID 1324 wrote to memory of 1404	1324	cmd.exe	30
PID 1324 wrote to memory of 1832	1324	cmd.exe	31
PID 1324 wrote to memory of 1832	1324	cmd.exe	31
PID 1324 wrote to memory of 1832	1324	cmd.exe	31
PID 1324 wrote to memory of 1832	1324	cmd.exe	31
PID 1324 wrote to memory of 1060	1324	cmd.exe	32
PID 1324 wrote to memory of 1060	1324	cmd.exe	32
PID 1324 wrote to memory of 1060	1324	cmd.exe	32
PID 1324 wrote to memory of 1060	1324	cmd.exe	32
PID 1324 wrote to memory of 1060	1324	cmd.exe	32
PID 1324 wrote to memory of 1060	1324	cmd.exe	32
PID 1324 wrote to memory of 1060	1324	cmd.exe	32
PID 1616 wrote to memory of 1752	1616	msiexec.exe	33
PID 1616 wrote to memory of 1752	1616	msiexec.exe	33
PID 1616 wrote to memory of 1752	1616	msiexec.exe	33
PID 1616 wrote to memory of 1752	1616	msiexec.exe	33
PID 1616 wrote to memory of 1752	1616	msiexec.exe	33
PID 1616 wrote to memory of 1752	1616	msiexec.exe	33
PID 1616 wrote to memory of 1752	1616	msiexec.exe	33
PID 1616 wrote to memory of 1252	1616	msiexec.exe	34
PID 1616 wrote to memory of 1252	1616	msiexec.exe	34
PID 1616 wrote to memory of 1252	1616	msiexec.exe	34
PID 1616 wrote to memory of 1252	1616	msiexec.exe	34
PID 1252 wrote to memory of 1512	1252	rutserv.exe	35
PID 1252 wrote to memory of 1512	1252	rutserv.exe	35
PID 1252 wrote to memory of 1512	1252	rutserv.exe	35
PID 1252 wrote to memory of 1512	1252	rutserv.exe	35
PID 1512 wrote to memory of 1708	1512	rutservSrv.exe	36
PID 1512 wrote to memory of 1708	1512	rutservSrv.exe	36
PID 1512 wrote to memory of 1708	1512	rutservSrv.exe	36
PID 1512 wrote to memory of 1708	1512	rutservSrv.exe	36
PID 1708 wrote to memory of 1656	1708	DesktopLayer.exe	37
PID 1708 wrote to memory of 1656	1708	DesktopLayer.exe	37
PID 1708 wrote to memory of 1656	1708	DesktopLayer.exe	37
PID 1708 wrote to memory of 1656	1708	DesktopLayer.exe	37
PID 1656 wrote to memory of 1564	1656	iexplore.exe	38
PID 1656 wrote to memory of 1564	1656	iexplore.exe	38
PID 1656 wrote to memory of 1564	1656	iexplore.exe	38
PID 1616 wrote to memory of 1632	1616	msiexec.exe	39
PID 1616 wrote to memory of 1632	1616	msiexec.exe	39
PID 1616 wrote to memory of 1632	1616	msiexec.exe	39
PID 1616 wrote to memory of 1632	1616	msiexec.exe	39
PID 1632 wrote to memory of 1968	1632	rutserv.exe	40
PID 1632 wrote to memory of 1968	1632	rutserv.exe	40

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1576	attrib.exe
1768	attrib.exe
524	attrib.exe
972	attrib.exe

C:\Users\Admin\AppData\Local\Temp\280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe
"C:\Users\Admin\AppData\Local\Temp\280e875558885b3a82fc5c4a4f0d25c16f6ab412c9d855053ca2bceb38b5a667.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1832
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /I "rms.host5.6ru.msi" /qn
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1080
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s 28.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:844
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Program Files (x86)\Remote Manipulator System - Host"
    3⤵
    - Views/modifies file attributes
    PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r "C:\Program Files (x86)\Remote Manipulator System - Host"
    3⤵
    - Views/modifies file attributes
    PID:1768
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r /d /s "C:\Program Files (x86)\Remote Manipulator System - Host\*.*"
    3⤵
    - Drops file in Program Files directory
    - Views/modifies file attributes
    PID:524
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s +r /d /s "C:\Program Files (x86)\Remote Manipulator System - Host\*.*"
    3⤵
    - Drops file in Program Files directory
    - Views/modifies file attributes
    PID:972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC8529A524FC42DF57DC0E7603BB5CF1
  2⤵
  - Loads dropped DLL
  PID:1752
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\System32\ie4uinit.exe
        
        "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1564
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
        6⤵
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:436
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of UnmapMainImage
    PID:1968
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of UnmapMainImage
      PID:1980
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2000
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
        6⤵
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:1140
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe

Filesize
158KB

MD5
e1324e05ee17bf249df5d81b54fef9f2

SHA1
abf8675cf70af6eb7d7d37cdd73f5b3ccf8c453d

SHA256
cd915255abf6421b4467bfa090c371e81951e8a6d75d31f4339e61da1d872c63

SHA512
5ca8d40e63553a65842d1e87d3e306d2bdd337c6ec9c6d24dbed1677f3746927b77215cf5f1a00cbc1860a027eea4c4be2a3f19cdef398765bcccc21a73d17cb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe

Filesize
18KB

MD5
fccbbb58ab23a52dff87344e8c8e075a

SHA1
6ec1f93a5b75c1e8a5c339beec8e490ea39ad681

SHA256
fba3e8afa91e6a0bdfad47c04f9db1b405a666c61d90c2f705d05785281765ea

SHA512
92a421859e7e7d198902261e6e158bd79dab6a7034bbdf9dc94cd8906f0ca35788efc1c613a86ca864fef8fff86c14d318b6044d744a2417f74effda6d2ff489

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd

Filesize
68B

MD5
921adb25b2323226764ccface8bc087a

SHA1
0e657a741ec92704fe2e9b19f7eb0890cba02b1c

SHA256
e71036db28270fff2f386049abcd8b1340f66871c3c6cc64195c4de30d886464

SHA512
b91cc962438e4a7afd4324b81d84b3721dc44a49e9c674fa92a5363f8e393ba64bf99aca852b375620d7a4e84a09a8af591df4531346cc936559f80a91cdc999

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf

Filesize
9KB

MD5
6476f7217d9d6372361b9e49d701fb99

SHA1
e1155ab2acc8a9c9b3c83d1e98f816b84b5e7e25

SHA256
6135d3c9956a00c22615e53d66085dabbe2fbb93df7b0cdf5c4f7f7b3829f58b

SHA512
b27abd8ed640a72424b662ae5c529cdda845497dc8bd6b67b0b44ae9cdd5e849f627e1735108b2df09dd6ef83ad1de6faa1ad7a6727b5d7a7985f92a92ca0779

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe

Filesize
20KB

MD5
ed2698aaef09a96256bc6a9fdcbc528a

SHA1
76d1986cfe1c2263e41339ffee4b558d1c241de3

SHA256
d2d49b4d629be89de27d52b5d8db2338c5084568758b3efe9647b995b2e88e9c

SHA512
fc17cfcbbb792df93566bbea296ad3c59ce6d42d1c5a3feddcfa788e2c4f9b2b7f8722cdb6bcd6bec484847f4144c116a74f25ba9c69a32180ec7df6375b5bbe

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd

Filesize
14KB

MD5
151f3af412abd6bf05d160a70f8873d8

SHA1
0efcf48401d546ce101920496dcbbf3ab252ee87

SHA256
4c21b9663120b494d0f5112eb5f9e0aab4b659a5bf5d5301ee4d5a98abb20f25

SHA512
58513727d12cc915cd8445a078beb238aa3df28cc49b3733d487b0d3100f1c519b39f5b809ace618536e2d8951c1b3a58c0763a893bbd92a98c8e06575d92a4f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini

Filesize
40B

MD5
58ded3cb7ca70a6975c5419c62fdb51d

SHA1
274040c32983b7fbf01f65e41b375f255a78547d

SHA256
425dbedfc4a8a0672478b0b97e28568e5007e9813bba650fe727b252f43a0dfc

SHA512
c9f3b324adc89be54ccace827c0b0b759f8658a63a6c9689c2bc5f01388daa25b8ea80f8c3b624403a2cae784af5cf0e5a94919795263a31ab9769969fd08a42

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng

Filesize
25KB

MD5
de5b0b40318ceabef85c04260141b039

SHA1
450df0a73f682425f631af1bd8b1960490498427

SHA256
7633ce5b3d2f8fea91207cdc1b2252b81606be1b5ffafedd56220cfd07f36c49

SHA512
2afdbce31039b77761173a3d8a87970a99b152a97048a8710b0d5b4876bd7602dbbf8b5315fe5f4da69d093871ee59c626198371ccdea6180d7e651b871ac91b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng

Filesize
1KB

MD5
6f06958e2d405c60521a3ce618e5ae7f

SHA1
8344c137a187900e7984c1bbff1c0ff5ca1e0023

SHA256
2da89d774f6b830400a3d95e94fd706084b4e28c0078a54c8fc5c01b981a01bf

SHA512
469673e3b09a142d80a1026709fc23abafc3a250d9574c681fb6066aa3c0f06800f60a6dfde7ccf2f3a47902f0eb2647dcd206f59d7bc3861eaf5e4fe721a511

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll

Filesize
59KB

MD5
3267b05b305aa1bfc9d3add46da6ebbe

SHA1
711d959cb570a5243a06edb07cf783265bc67417

SHA256
f07014732aff3213213202bfcb78f42f3f66548f56d15ba4c3ccff2df023e778

SHA512
6912c03e0083d95d763da058a97e9b5e2824241f4fc8035a47b3e1eec91a75e6be6dc17a6b743dbc461a853c0ae2cda8345188e53792e88948fc7af8bc345460

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll

Filesize
24KB

MD5
8718dd01693b356a499867fe306cf5cb

SHA1
36306f92254a04865bb6e966e1b96b3beaf28fdd

SHA256
12e39d57030dfc7cc7fa6f1c20e3d6fb1e7e999a73b42604b34664ccfb13c559

SHA512
f185a722e779c9196f70c572666b9ee1b32e6e2c212bb88b79502fb0f3056cfb671639210d0e6e04fe36256701467825ea58d9ffdfc1dd020b0fec26548d9948

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe

Filesize
214KB

MD5
fcf05cb13f2f941de9301158fd8846bd

SHA1
1014ad4c0f2fc498b398ce56c4613e8f48de7018

SHA256
925183e95087fa76e231b3fbafb924f771497b31140e502484aaf67f0b48861f

SHA512
1868f0efecddb4db28489194d8ac021f40e79997be51cb2ae1e3232eb1386859a5d2dc8647bfcf473bc089ef8cbd9b2711405bb9da5eb6bddaa6c18cf64243f4

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
3e2d738baf89f2df0f677453b641b00f

SHA1
ba3db6e032a2a9ca7197459c9485ae05a31e6214

SHA256
ea746fa2f55af75aea2f476a5a8371e2446b4c993b668468566734ca4172e98b

SHA512
1a721f3a4bca6c32dbcbbc408c41bb52bd42f9d4abea4a663daf5d8553cba7b3907b4ef147cdf3d4725eab6410218c587383192a640a89738a781978b59e3896

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
8d5c6130f1ac7bbc63a5ca7bfdbe0b86

SHA1
65c5870581d5ecccda95e8cd7988ed296e1b13bf

SHA256
00dbd31fb64d0c908f174c7f028e7beb287f2ac25e2ddf6109df910cf2900205

SHA512
dcaf1d6d3e6d87f7f6eed0ecb2b16156048589a37c0528d3dc1d0f691e831cfe6d82a7122d52429e94b694802ec8b50893eb86d25ea660d6b397d47cdcd761c9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd

Filesize
14KB

MD5
7162d8977515a446d2c1e139da59ded5

SHA1
952f696c463b8410b1fa93a3b2b6dae416a81867

SHA256
2835a439c6ae22074bc3372491cb71e6c2b72d0c87ae3eee6065c6caadf1e5c8

SHA512
508f7ca3d4bc298534ab058f182755851051684f8d53306011f03875804c95e427428bd425dd13633eec79748bb64e78aad43e75b70cc5a3f0f4e6696dbb6d8e

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll

Filesize
474KB

MD5
560c86ed0a2434c4b78dd177b89cfd82

SHA1
6f0f56f17191b65798296259b7a820a2a20c1f4a

SHA256
6f7cbe19b28b054b0d15699566e431eb064192096bfb86ebf3f2f0fe6356d2e9

SHA512
726d837a1accbd9b27414ca0e81ebef6d6654dfe4739617bfe3188af0fe7959ea0a38aec0a647e640ca6d23d422c140c929695caafb615a3e1e8e58ced9e154b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp

Filesize
20KB

MD5
6798f64959c913673bd66cd4e47f4a65

SHA1
c50faa64c8267ac7106401e69da5c15fc3f2034c

SHA256
0c02b226be4e7397f8c98799e58b0a512515e462ccdaac04edc10e3e1091c011

SHA512
8d208306b6d0f892a2f16f8070a89d8edb968589896cb70cf46f43bf4befb7c4ca6a278c35fe8a2685cc784505efb77c32b0aabf80d13bcc0d10a39ae8afb55a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll

Filesize
869KB

MD5
cdb62f7518a33636bbbf45b8373ab3ee

SHA1
7715bbaab16aedcf1c716ed7e62a1acc98e7ded7

SHA256
c604bb8550b9019e8e88db5d40eb14801db6b802e2598b971cf474150c54b62b

SHA512
50e00a3b4a042cbfc925189c2716a2b7384ba43c029a9a103d9b42f8ef8d6c78b5f70bc4080b2e6133883868d5985132c1440496726504a22784df121b158d0f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd

Filesize
87B

MD5
24837286ab8b5537ea3967e0a7905238

SHA1
4f3dc09d2f0c9ede72577154b9954621dd30604b

SHA256
f6ebaa2bc59841b72aaf3c03c7bfea91c75ec1f982f497d6b3d7fb7271cacdf6

SHA512
6b0cfd707fbab7034ef45b4864329a9ad01f649216fe13aede6bf6488b50020da65f8a3776c1b125eebe08aef6a848d04a33de8277a2ad3827c8869af1368c00

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll

Filesize
750KB

MD5
03f5e58d189f1c1e19971ac6cafd7130

SHA1
f396baa66428f7f7b36f09e5a82a81887bc936a0

SHA256
3fdb60c1b232395a5e5c662ef2c89c6b8b68859834d69db40621f5974b1d2f4d

SHA512
cf57afb85c1084d0e87d71324520294a1d051458a74e2d264005a0529da7245a7057649a6f56d60edc4c3f56568c9a330d1b0c51b671ecaebb9c7b5eaaeca886

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe

Filesize
17KB

MD5
097f1e8f0d4b8bc201aa873bdf7e39a2

SHA1
11d285d19e61044ecb383e679559bbeca40898a7

SHA256
d1056522f1ae10bab53ab5e1e83edc75b19e393db0ea25a0c457dfd8f022b405

SHA512
10c486e0e7520e37264cfd7bd81bf586bdfb0c0f5a61bb7d4d79670dc032538cc4d82dc6042c77d4e1061a167c4da530c468a54ce377a2654aa6799e1a6df906

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe

Filesize
86KB

MD5
eace8e61af711a17398fb7af5f3a5f22

SHA1
32ccc73763b8b003144d6f3f6b69f77ac90d2e05

SHA256
d4adb9d9dad23ab0d4edd49631f60835c7d126816541f21a5c4187fde115da42

SHA512
6e120a5b2bb77c8c1574dbf1827683c9e320b936aac6f70a38d80642f2dcd725f1d4409bdc24a9a0b8068cd6e78d2573204d1fe653630a694ddee0798b18bc58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd

Filesize
60B

MD5
23ada030ee52b855789e8fb0db6b5c4b

SHA1
1f5b1274d7f86fbe2675c9c702196711de2a6d50

SHA256
e7ad95fc7303838383f6fddea9615bb70de8579f53e5df581c1557a01c37ce5e

SHA512
8acbd8a505173103f53f32c15e00ea81ffb6e749ec835f42a025e669045f9a020fbc9495b72b621c43311de1273cd80275b60ce9fee789557621e24c9ab7ca38

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf

Filesize
9KB

MD5
6476f7217d9d6372361b9e49d701fb99

SHA1
e1155ab2acc8a9c9b3c83d1e98f816b84b5e7e25

SHA256
6135d3c9956a00c22615e53d66085dabbe2fbb93df7b0cdf5c4f7f7b3829f58b

SHA512
b27abd8ed640a72424b662ae5c529cdda845497dc8bd6b67b0b44ae9cdd5e849f627e1735108b2df09dd6ef83ad1de6faa1ad7a6727b5d7a7985f92a92ca0779

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe

Filesize
17KB

MD5
c51f120a9c190dbe3d3520c1a6442baf

SHA1
7928e17d11de9b438c678aa5427ed3410dad8deb

SHA256
b3ceca8ff16685a407c8a15d440878845384619613f7dc129dc429950e7982d5

SHA512
0c211304aa0df3fe94fbaa55d2e118d86b293dfb4ecbcb24e75297346e9f1a0092ddd106aa0ca597a640dca2f116dc122cdb6e343e0a6e52f323ca095ef6779c

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd

Filesize
14KB

MD5
151f3af412abd6bf05d160a70f8873d8

SHA1
0efcf48401d546ce101920496dcbbf3ab252ee87

SHA256
4c21b9663120b494d0f5112eb5f9e0aab4b659a5bf5d5301ee4d5a98abb20f25

SHA512
58513727d12cc915cd8445a078beb238aa3df28cc49b3733d487b0d3100f1c519b39f5b809ace618536e2d8951c1b3a58c0763a893bbd92a98c8e06575d92a4f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini

Filesize
40B

MD5
58ded3cb7ca70a6975c5419c62fdb51d

SHA1
274040c32983b7fbf01f65e41b375f255a78547d

SHA256
425dbedfc4a8a0672478b0b97e28568e5007e9813bba650fe727b252f43a0dfc

SHA512
c9f3b324adc89be54ccace827c0b0b759f8658a63a6c9689c2bc5f01388daa25b8ea80f8c3b624403a2cae784af5cf0e5a94919795263a31ab9769969fd08a42

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng

Filesize
25KB

MD5
de5b0b40318ceabef85c04260141b039

SHA1
450df0a73f682425f631af1bd8b1960490498427

SHA256
7633ce5b3d2f8fea91207cdc1b2252b81606be1b5ffafedd56220cfd07f36c49

SHA512
2afdbce31039b77761173a3d8a87970a99b152a97048a8710b0d5b4876bd7602dbbf8b5315fe5f4da69d093871ee59c626198371ccdea6180d7e651b871ac91b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng

Filesize
1KB

MD5
6f06958e2d405c60521a3ce618e5ae7f

SHA1
8344c137a187900e7984c1bbff1c0ff5ca1e0023

SHA256
2da89d774f6b830400a3d95e94fd706084b4e28c0078a54c8fc5c01b981a01bf

SHA512
469673e3b09a142d80a1026709fc23abafc3a250d9574c681fb6066aa3c0f06800f60a6dfde7ccf2f3a47902f0eb2647dcd206f59d7bc3861eaf5e4fe721a511

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll

Filesize
53KB

MD5
a99290adea74e761a23cb8e771ee6b61

SHA1
2ce69df807f1debb466f17f5ebf890c58e1ac798

SHA256
a1aefdd88cd9fdbc2c2a87ed75058d26e711fd7f9714012e85ab48d174fe83f9

SHA512
5a16302e8a5011d1ad41003c3dcfc3d1ec7a6b278f5f51ac3284de604ab988023efbe86104e31a6643eaa64ebe8f6ba3e252273b1f4eb6a44fa85cc6cd707ac1

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll

Filesize
24KB

MD5
4301964ff5ac8969b2ff4a231e25f406

SHA1
2a1f13a7229ec43986b2aa87695f5e93a290facb

SHA256
d88d189fb34467b810b64c740a8050cfa56f53ef0c93b9a631f5967e949cd2ac

SHA512
bceeb4f962c8b84aa63f8f923e12a6726f207b3a455c4de3769521922eaf8a44ba0280048dc61cfd8d7738dff22c5c75d4d5b47c195dcf50fa9320111b903082

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe

Filesize
170KB

MD5
12486a2afa03aaf848538b6720f1516b

SHA1
ddd4610e4dd5e74b6b3893ba924c181ef61fba9a

SHA256
f406c6f3c6bec8ba5151c6e99bb3e3a8483413f572f8ddd84e3ec4df7a891911

SHA512
ff9c2140bc5b4c58807204a8aae0be40960d73f6446054632b6ebd02e32157689f65f5a4561dbd91306e941e77e283e5cc4a0125fb9cca30ff1eeaa0af6d3a26

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.8MB

MD5
ae0f362b2afc356560b498e665289dc2

SHA1
c4adc720f015715ea17fee1935ade4af2fb503ab

SHA256
57ae1d78909fede3aa45037bfb5402204c13b162d85f553448f2767bb8ceb397

SHA512
8c96b1fa69e4d5e6776bee99c1a66f66ab91a9c5c06008587000b3666df83c4cb54400f39908ff344b19159bd48d44c0078717d7e13eb825bd58587a23295699

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.8MB

MD5
ae0f362b2afc356560b498e665289dc2

SHA1
c4adc720f015715ea17fee1935ade4af2fb503ab

SHA256
57ae1d78909fede3aa45037bfb5402204c13b162d85f553448f2767bb8ceb397

SHA512
8c96b1fa69e4d5e6776bee99c1a66f66ab91a9c5c06008587000b3666df83c4cb54400f39908ff344b19159bd48d44c0078717d7e13eb825bd58587a23295699

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.8MB

MD5
ae0f362b2afc356560b498e665289dc2

SHA1
c4adc720f015715ea17fee1935ade4af2fb503ab

SHA256
57ae1d78909fede3aa45037bfb5402204c13b162d85f553448f2767bb8ceb397

SHA512
8c96b1fa69e4d5e6776bee99c1a66f66ab91a9c5c06008587000b3666df83c4cb54400f39908ff344b19159bd48d44c0078717d7e13eb825bd58587a23295699

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.8MB

MD5
ae0f362b2afc356560b498e665289dc2

SHA1
c4adc720f015715ea17fee1935ade4af2fb503ab

SHA256
57ae1d78909fede3aa45037bfb5402204c13b162d85f553448f2767bb8ceb397

SHA512
8c96b1fa69e4d5e6776bee99c1a66f66ab91a9c5c06008587000b3666df83c4cb54400f39908ff344b19159bd48d44c0078717d7e13eb825bd58587a23295699

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
75KB

MD5
8015ab2cc394e54e4a36a0bad7027768

SHA1
1c15df81fdcace56f59bd45911f0bc9e37ed521f

SHA256
8b82c3b3b26aee27b8cf5bdfb6e947a0cdcab7e6015f786f4df851d9c2eec42c

SHA512
9fe2c5588e429d2887b7a16427110e32c579140906d68665c19cc8bc3738fa7ac596ac49974e8426877d1154101ed83e6685485a2531c3ffe5bc61c581be20e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{230A3531-5727-11ED-809F-FE8152C730B7}.dat

Filesize
5KB

MD5
cfbea07246f161e09ee3d1fc2c7b31f2

SHA1
a996ff7ea1198054b7b5d031dd3f59d517675c82

SHA256
80394ec4a97f83f8037c22be84182e0e6fa051fd79a51238da73c8085d30c58d

SHA512
ab46f22da8b15275d92a922b9f2ce2a681d9cd243193794af80e51acaccdf6fd36bf7ad8bafcc3b8d9aab0faeedce9beeabc8156c914f31888e8fed1d6535528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\28.reg

Filesize
3KB

MD5
a13e9775202b1ce1ea08dcbbf6a8bdda

SHA1
d5db609a9532cae2436b0ad50a6d17d8969112fd

SHA256
eddf7a3242743603f938f278f1505123dc2d7faec367e7591951fc21b623a8a1

SHA512
ea43a3636336e01bb1b8d1b9defba8681608de6ef72daaa906341f82a122b7cbe549a7d785686e645c704e9282a1a44b2d776aff2da56d560d7b3e3de0ee5100

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
823B

MD5
84b1a5a529c1fcefce2b4ab1c84c90cb

SHA1
a00ea7622732b573000909eabb3981a435e61588

SHA256
c7e3f98061ce60f99799e94241b2b105dffcfdc08ff5bc02550167b049106578

SHA512
8dc813d35abc96975338dab09b93c62d3c81bdaf8a626b858eac7e6cd779d02393e92dda11b7e9a52a3806742979e28399060673f855022739077cf73aeb92fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host5.6ru.msi

Filesize
8.0MB

MD5
7ad38910c716726ff54d2f9bd5185d5d

SHA1
d513f87b8415f893dc0a68a4630f991d077bc400

SHA256
6504cf10b0b2f9df759cbd6eb5fc15e481bf17d7dbecb3241c4d8e9b852a0575

SHA512
11c959e453d47a1aade6841d912d5bde831b804175b036695150856f03d064e0cc111ccd4a9f98a38cae19c48229b3e9e26dbcc0b9e337d463aa222f925a0d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

Filesize
75KB

MD5
8015ab2cc394e54e4a36a0bad7027768

SHA1
1c15df81fdcace56f59bd45911f0bc9e37ed521f

SHA256
8b82c3b3b26aee27b8cf5bdfb6e947a0cdcab7e6015f786f4df851d9c2eec42c

SHA512
9fe2c5588e429d2887b7a16427110e32c579140906d68665c19cc8bc3738fa7ac596ac49974e8426877d1154101ed83e6685485a2531c3ffe5bc61c581be20e8

Download Submit
C:\Windows\Installer\MSI5FF6.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rutservSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
75KB

MD5
8015ab2cc394e54e4a36a0bad7027768

SHA1
1c15df81fdcace56f59bd45911f0bc9e37ed521f

SHA256
8b82c3b3b26aee27b8cf5bdfb6e947a0cdcab7e6015f786f4df851d9c2eec42c

SHA512
9fe2c5588e429d2887b7a16427110e32c579140906d68665c19cc8bc3738fa7ac596ac49974e8426877d1154101ed83e6685485a2531c3ffe5bc61c581be20e8

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
75KB

MD5
8015ab2cc394e54e4a36a0bad7027768

SHA1
1c15df81fdcace56f59bd45911f0bc9e37ed521f

SHA256
8b82c3b3b26aee27b8cf5bdfb6e947a0cdcab7e6015f786f4df851d9c2eec42c

SHA512
9fe2c5588e429d2887b7a16427110e32c579140906d68665c19cc8bc3738fa7ac596ac49974e8426877d1154101ed83e6685485a2531c3ffe5bc61c581be20e8

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
75KB

MD5
8015ab2cc394e54e4a36a0bad7027768

SHA1
1c15df81fdcace56f59bd45911f0bc9e37ed521f

SHA256
8b82c3b3b26aee27b8cf5bdfb6e947a0cdcab7e6015f786f4df851d9c2eec42c

SHA512
9fe2c5588e429d2887b7a16427110e32c579140906d68665c19cc8bc3738fa7ac596ac49974e8426877d1154101ed83e6685485a2531c3ffe5bc61c581be20e8

Download Submit
\Windows\Installer\MSI5FF6.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
memory/1252-92-0x0000000000280000-0x0000000000293000-memory.dmp

Filesize
76KB

Download
memory/1252-91-0x0000000073C60000-0x0000000073C75000-memory.dmp

Filesize
84KB

Download
memory/1384-117-0x0000000073C60000-0x0000000073C75000-memory.dmp

Filesize
84KB

Download
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1512-85-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1512-80-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1616-60-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1632-102-0x0000000073C50000-0x0000000073C65000-memory.dmp

Filesize
84KB

Download
memory/1708-89-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download