rms | 43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671

Analysis

max time kernel
152s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe
Size

7.8MB
MD5

ebe3f98743d4a03c9ed92e6b27b266a3
SHA1

fb6e47c05ba7b5ed51cff19d9d86d43cc7889747
SHA256

43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671
SHA512

43e233763c326e36bdbe50ca2a13680928a2288c1b285a8b02bb691b4d2fccc2152a3a7d0b18cf88d09578d3a4c5e91bd53a838376f28e6a38f84bc1464d46bb
SSDEEP

196608:sx9Dht4XA61gQzHZKqHuDXKkj0Pgu/k5AmizMvaU/3RxiKEDHeJ:AhmXPHZiXR0Pgu/AApoyU/fiKEDHG

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exe

flow pid process

3 1716 msiexec.exe
5 1716 msiexec.exe
7 1716 msiexec.exe
9 1716 msiexec.exe
11 1716 msiexec.exe
Executes dropped EXE 7 IoCs

Processes:

000.exeRMS.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid process

704 000.exe
1960 RMS.exe
900 rutserv.exe
1924 rutserv.exe
432 rutserv.exe
672 rutserv.exe
1968 rfusclient.exe

flow	pid	process
3	1716	msiexec.exe
5	1716	msiexec.exe
7	1716	msiexec.exe
9	1716	msiexec.exe
11	1716	msiexec.exe

pid	process
704	000.exe
1960	RMS.exe
900	rutserv.exe
1924	rutserv.exe
432	rutserv.exe
672	rutserv.exe
1968	rfusclient.exe

Loads dropped DLL 11 IoCs

Processes:

cmd.exe000.exeMsiExec.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
1180	cmd.exe
704	000.exe
704	000.exe
704	000.exe
560	MsiExec.exe
900	rutserv.exe
1924	rutserv.exe
432	rutserv.exe
672	rutserv.exe
672	rutserv.exe
1968	rfusclient.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 58 IoCs

Processes:

msiexec.execmd.exe

description	ioc	process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Microsoft.VC90.CRT.manifest	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\6d10a7.ipi	msiexec.exe
File created	C:\Windows\28122008.txt	cmd.exe
File created	C:\Windows\Installer\6d10a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6d10a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70D8.tmp	msiexec.exe
File created	C:\Windows\Installer\6d10a9.msi	msiexec.exe
File created	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\6d10a7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\PackageCode = "001E4BCEB6F30B0418BA0CB49940D551"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\Version = "100603766"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\F21BB3D03099A4D40A267949D7A24BE4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\PackageName = "rms.host5.6ru.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F21BB3D03099A4D40A267949D7A24BE4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F21BB3D03099A4D40A267949D7A24BE4\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\ProductIcon = "C:\\Windows\\Installer\\{0D3BB12F-9903-4D4A-A062-97947D2AB44E}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F21BB3D03099A4D40A267949D7A24BE4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1200 PING.EXE
1628 PING.EXE

pid	process
1200	PING.EXE
1628	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

msiexec.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
1716	msiexec.exe
1716	msiexec.exe
900	rutserv.exe
900	rutserv.exe
900	rutserv.exe
900	rutserv.exe
1924	rutserv.exe
1924	rutserv.exe
432	rutserv.exe
432	rutserv.exe
672	rutserv.exe
672	rutserv.exe
672	rutserv.exe
672	rutserv.exe
1968	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	956	msiexec.exe
Token: SeRestorePrivilege	1716	msiexec.exe
Token: SeTakeOwnershipPrivilege	1716	msiexec.exe
Token: SeSecurityPrivilege	1716	msiexec.exe
Token: SeCreateTokenPrivilege	956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	956	msiexec.exe
Token: SeLockMemoryPrivilege	956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	956	msiexec.exe
Token: SeMachineAccountPrivilege	956	msiexec.exe
Token: SeTcbPrivilege	956	msiexec.exe
Token: SeSecurityPrivilege	956	msiexec.exe
Token: SeTakeOwnershipPrivilege	956	msiexec.exe
Token: SeLoadDriverPrivilege	956	msiexec.exe
Token: SeSystemProfilePrivilege	956	msiexec.exe
Token: SeSystemtimePrivilege	956	msiexec.exe
Token: SeProfSingleProcessPrivilege	956	msiexec.exe
Token: SeIncBasePriorityPrivilege	956	msiexec.exe
Token: SeCreatePagefilePrivilege	956	msiexec.exe
Token: SeCreatePermanentPrivilege	956	msiexec.exe
Token: SeBackupPrivilege	956	msiexec.exe
Token: SeRestorePrivilege	956	msiexec.exe
Token: SeShutdownPrivilege	956	msiexec.exe
Token: SeDebugPrivilege	956	msiexec.exe
Token: SeAuditPrivilege	956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	956	msiexec.exe
Token: SeChangeNotifyPrivilege	956	msiexec.exe
Token: SeRemoteShutdownPrivilege	956	msiexec.exe
Token: SeUndockPrivilege	956	msiexec.exe
Token: SeSyncAgentPrivilege	956	msiexec.exe
Token: SeEnableDelegationPrivilege	956	msiexec.exe
Token: SeManageVolumePrivilege	956	msiexec.exe
Token: SeImpersonatePrivilege	956	msiexec.exe
Token: SeCreateGlobalPrivilege	956	msiexec.exe
Token: SeShutdownPrivilege	1992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1992	msiexec.exe
Token: SeCreateTokenPrivilege	1992	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1992	msiexec.exe
Token: SeLockMemoryPrivilege	1992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1992	msiexec.exe
Token: SeMachineAccountPrivilege	1992	msiexec.exe
Token: SeTcbPrivilege	1992	msiexec.exe
Token: SeSecurityPrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeLoadDriverPrivilege	1992	msiexec.exe
Token: SeSystemProfilePrivilege	1992	msiexec.exe
Token: SeSystemtimePrivilege	1992	msiexec.exe
Token: SeProfSingleProcessPrivilege	1992	msiexec.exe
Token: SeIncBasePriorityPrivilege	1992	msiexec.exe
Token: SeCreatePagefilePrivilege	1992	msiexec.exe
Token: SeCreatePermanentPrivilege	1992	msiexec.exe
Token: SeBackupPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeShutdownPrivilege	1992	msiexec.exe
Token: SeDebugPrivilege	1992	msiexec.exe
Token: SeAuditPrivilege	1992	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1992	msiexec.exe
Token: SeChangeNotifyPrivilege	1992	msiexec.exe
Token: SeRemoteShutdownPrivilege	1992	msiexec.exe
Token: SeUndockPrivilege	1992	msiexec.exe
Token: SeSyncAgentPrivilege	1992	msiexec.exe
Token: SeEnableDelegationPrivilege	1992	msiexec.exe
Token: SeManageVolumePrivilege	1992	msiexec.exe
Token: SeImpersonatePrivilege	1992	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.execmd.exe000.exeRMS.execmd.exemsiexec.exe

description	pid	process	target process
PID 1848 wrote to memory of 1180	1848	43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe	cmd.exe
PID 1848 wrote to memory of 1180	1848	43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe	cmd.exe
PID 1848 wrote to memory of 1180	1848	43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe	cmd.exe
PID 1848 wrote to memory of 1180	1848	43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe	cmd.exe
PID 1848 wrote to memory of 1180	1848	43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe	cmd.exe
PID 1848 wrote to memory of 1180	1848	43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe	cmd.exe
PID 1848 wrote to memory of 1180	1848	43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe	cmd.exe
PID 1180 wrote to memory of 704	1180	cmd.exe	000.exe
PID 1180 wrote to memory of 704	1180	cmd.exe	000.exe
PID 1180 wrote to memory of 704	1180	cmd.exe	000.exe
PID 1180 wrote to memory of 704	1180	cmd.exe	000.exe
PID 1180 wrote to memory of 704	1180	cmd.exe	000.exe
PID 1180 wrote to memory of 704	1180	cmd.exe	000.exe
PID 1180 wrote to memory of 704	1180	cmd.exe	000.exe
PID 704 wrote to memory of 1960	704	000.exe	RMS.exe
PID 704 wrote to memory of 1960	704	000.exe	RMS.exe
PID 704 wrote to memory of 1960	704	000.exe	RMS.exe
PID 704 wrote to memory of 1960	704	000.exe	RMS.exe
PID 704 wrote to memory of 1960	704	000.exe	RMS.exe
PID 704 wrote to memory of 1960	704	000.exe	RMS.exe
PID 704 wrote to memory of 1960	704	000.exe	RMS.exe
PID 1960 wrote to memory of 2032	1960	RMS.exe	cmd.exe
PID 1960 wrote to memory of 2032	1960	RMS.exe	cmd.exe
PID 1960 wrote to memory of 2032	1960	RMS.exe	cmd.exe
PID 1960 wrote to memory of 2032	1960	RMS.exe	cmd.exe
PID 1960 wrote to memory of 2032	1960	RMS.exe	cmd.exe
PID 1960 wrote to memory of 2032	1960	RMS.exe	cmd.exe
PID 1960 wrote to memory of 2032	1960	RMS.exe	cmd.exe
PID 2032 wrote to memory of 956	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 956	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 956	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 956	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 956	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 956	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 956	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1992	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1992	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1992	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1992	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1992	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1992	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1992	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1200	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1200	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1200	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1200	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1200	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1200	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1200	2032	cmd.exe	PING.EXE
PID 2032 wrote to memory of 1056	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1056	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1056	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1056	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1056	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1056	2032	cmd.exe	msiexec.exe
PID 2032 wrote to memory of 1056	2032	cmd.exe	msiexec.exe
PID 1716 wrote to memory of 560	1716	msiexec.exe	MsiExec.exe
PID 1716 wrote to memory of 560	1716	msiexec.exe	MsiExec.exe
PID 1716 wrote to memory of 560	1716	msiexec.exe	MsiExec.exe
PID 1716 wrote to memory of 560	1716	msiexec.exe	MsiExec.exe
PID 1716 wrote to memory of 560	1716	msiexec.exe	MsiExec.exe
PID 1716 wrote to memory of 560	1716	msiexec.exe	MsiExec.exe
PID 1716 wrote to memory of 560	1716	msiexec.exe	MsiExec.exe
PID 1716 wrote to memory of 900	1716	msiexec.exe	rutserv.exe

C:\Users\Admin\AppData\Local\Temp\43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe
"C:\Users\Admin\AppData\Local\Temp\43bdc93361560434886e3ce6ed1bbd93f14541b2947e593690f3c9b427600671.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\0.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\000.exe
000.exe -p8398 -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Local\Temp\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\RMS.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
5⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\msiexec.exe
MsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1200

C:\Windows\SysWOW64\msiexec.exe
MsiExec /I "rms.host5.6ru.msi" /qn
6⤵
PID:1056

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1628

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 46C4561D86A3ADD41C5EF434DFDD7418
2⤵
- Loads dropped DLL
PID:560

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
2⤵
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\English.lg
Filesize
43KB

MD5
fcccdb05b62796ad70eec5b21069114a

SHA1
e9aeb1bb63ed3c23e15c033049a9a645f6e2f1fa

SHA256
e4e1e61c81fe036cd05c2ed1a362e1f20565cf6df29fd714b7ad145e1b5176ce

SHA512
a187ee14092dabe948944bd9c451364cb48a08bdff044756f1281d7fba3398a926bb5260b66422dad78d2557791d3187a8e9f76d11a8f5382886393adb987cc8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll
Filesize
144KB

MD5
941d1b63a94549cbe5224a4e722dd4d5

SHA1
bab121f4c3528af35456bac20fbd296112624260

SHA256
ce1cd24a782932e1c28c030da741a21729a3c5930d8358079b0f91747dd0d832

SHA512
b6bf11fa34ceab70e3f3ce48a8a6dcbe5cfa859db4a03ca18cc6309773a32aff9db111d2d2ab5bb1ce974322eaf71ea81cfaa3911d6b8085a82823a0aa1d30ee

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll
Filesize
957KB

MD5
897266223a905afdc1225ff4e621c868

SHA1
6a5130154430284997dc76af8b145ab90b562110

SHA256
be991f825a2e6939f776ebc6d80d512a33cbbe60de2fcc32820c64f1d6b13c07

SHA512
1ad1386e71e036e66f3b6fdece5a376e7309ceb0f6eb73c3a8203b0825c45aa1f74e1f722b508cf3f73456e7d808853d37bcef79bfe8476fc16a4e6af2e9202b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg
Filesize
48KB

MD5
50716fb95abf80ff78451e8a33f16d3c

SHA1
25552c03bf9ab4eb475ba9880a25acd09d44c4f5

SHA256
c36482a3a77859c8c7856da7c1360cfb6b84112df08c50cb3ec176546fa3fa1c

SHA512
071c131826e1d76b79e1dfbf5f1934d4ad5c49cbd904b13e7b11706fc3dd16db281d8ca32f49d08a3640ce59caec2a74597534607701606a7dc52ddf424742e2

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll
Filesize
240KB

MD5
50bad879226bcbbf02d5cf2dcbcfbf61

SHA1
be262f40212bd5a227d19fdbbd4580c200c31e4b

SHA256
49295f414c5405a4f180b319cfed471871471776e4853baaf117a5185ec0d90d

SHA512
476df817a9c9e23423080afcac899b83fc8f532e4fe62bea2feeb988cba538f1f710e2fb61d81d6c283c428d772922c7a6ecb1684ac68ca8f267415105a60116

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll
Filesize
1.6MB

MD5
2721aa44e21659358e8a25c0f13ce02b

SHA1
91589226e6fd81675e013c5b7aad06e5f7903e61

SHA256
74ca24097bc69145af11dc6a0580665d4766aa78c7633f4084d16d7b4fecc5fb

SHA512
fb1f06e18b369e5df0dedf20bf5bcaae4f6d93bf8a4789db2d05b7c895fdeff2dc086089cca67fa7d352563b491606a547c37959db623b071e90a1c876d6cc2a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll
Filesize
1.6MB

MD5
7916c52814b561215c01795bb71bb884

SHA1
0b3341642559efc8233561f81ec80a3983b9fc2d

SHA256
7d3c4c52684afff597dc4c132c464b651cb94aad039458b674d69cf76c240e64

SHA512
fc0a1d717c636639be6835d93bdde8019799842e11a055bedeb468f57cfaabf5582a65e1770841486550e06b1b9ba020ff5fad14b7838fe70afefb37933f1a8f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll
Filesize
556KB

MD5
99c5cb416cb1f25f24a83623ed6a6a09

SHA1
0dbf63dea76be72390c0397cb047a83914e0f7c8

SHA256
9f47416ca37a864a31d3dc997677f8739433f294e83d0621c48eb9093c2e4515

SHA512
8bd1b14a690aa15c07ead90edacbcc4e8e3f68e0bfd6191d42519b9542786df35a66ed37e7af9cf9ff14d55a5622c29a88fee2a5bde889740a3ce6160d5256ac

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll
Filesize
638KB

MD5
bfeac23ced1f4ac8254b5cd1a2bf4dda

SHA1
fd450e3bc758d984f68f0ae5963809d7d80645b6

SHA256
420d298de132941eacec6718039a5f42eaec498399c482e2e0ff4dad76a09608

SHA512
1f4afc2eb72f51b9e600fbbf0d4408728e29b0c6ca45801605801ead0a287873ebbfaaae10b027f1a287c82232d1e7a3a7e7435b7f6a39223c3f7b23d96ed272

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
Filesize
4.8MB

MD5
8ae7c08d0c3805092e59cd384da8b618

SHA1
d1e443a5226621e7d2ca48660d68985933ff8659

SHA256
03cccc0222706488a7da919bb6298067ba5e9ef854ecf8d1dc45ffadd392841c

SHA512
1b96509721d9606d1c6c00c385ee5136218ea683c038a666fc903cf13d26874b3ccd1891f627f65e765a74a5987d40ea6725fbf87e954a812638edfb59b3f1f7

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
Filesize
4.8MB

MD5
8ae7c08d0c3805092e59cd384da8b618

SHA1
d1e443a5226621e7d2ca48660d68985933ff8659

SHA256
03cccc0222706488a7da919bb6298067ba5e9ef854ecf8d1dc45ffadd392841c

SHA512
1b96509721d9606d1c6c00c385ee5136218ea683c038a666fc903cf13d26874b3ccd1891f627f65e765a74a5987d40ea6725fbf87e954a812638edfb59b3f1f7

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
Filesize
1.5MB

MD5
61e83811e514fabe476259b660122757

SHA1
18bc5ebde17ab736ee9a3efe575974a984e46a51

SHA256
a0e05b01959c367dcabb83ec2ae2deaaa355686764c08caf0d67e71931b3f3e3

SHA512
9c7fe68ccf20a6117ed961b518af780dd06ed55b0fc43f480f44744b5c692f33f724832746d2146571e03ba018f673b9c55a04526605b224fbd6d3aeb6289eef

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Filesize
5.8MB

MD5
ae0f362b2afc356560b498e665289dc2

SHA1
c4adc720f015715ea17fee1935ade4af2fb503ab

SHA256
57ae1d78909fede3aa45037bfb5402204c13b162d85f553448f2767bb8ceb397

SHA512
8c96b1fa69e4d5e6776bee99c1a66f66ab91a9c5c06008587000b3666df83c4cb54400f39908ff344b19159bd48d44c0078717d7e13eb825bd58587a23295699

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Filesize
5.8MB

MD5
ae0f362b2afc356560b498e665289dc2

SHA1
c4adc720f015715ea17fee1935ade4af2fb503ab

SHA256
57ae1d78909fede3aa45037bfb5402204c13b162d85f553448f2767bb8ceb397

SHA512
8c96b1fa69e4d5e6776bee99c1a66f66ab91a9c5c06008587000b3666df83c4cb54400f39908ff344b19159bd48d44c0078717d7e13eb825bd58587a23295699

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Filesize
5.8MB

MD5
ae0f362b2afc356560b498e665289dc2

SHA1
c4adc720f015715ea17fee1935ade4af2fb503ab

SHA256
57ae1d78909fede3aa45037bfb5402204c13b162d85f553448f2767bb8ceb397

SHA512
8c96b1fa69e4d5e6776bee99c1a66f66ab91a9c5c06008587000b3666df83c4cb54400f39908ff344b19159bd48d44c0078717d7e13eb825bd58587a23295699

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Filesize
5.8MB

MD5
ae0f362b2afc356560b498e665289dc2

SHA1
c4adc720f015715ea17fee1935ade4af2fb503ab

SHA256
57ae1d78909fede3aa45037bfb5402204c13b162d85f553448f2767bb8ceb397

SHA512
8c96b1fa69e4d5e6776bee99c1a66f66ab91a9c5c06008587000b3666df83c4cb54400f39908ff344b19159bd48d44c0078717d7e13eb825bd58587a23295699

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll
Filesize
409KB

MD5
1525887bc6978c0b54fec544877319e6

SHA1
7820fcd66e6fbf717d78a2a4df5b0367923dc431

SHA256
a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

SHA512
56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll
Filesize
691KB

MD5
c8fd8c4bc131d59606b08920b2fda91c

SHA1
df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

SHA256
6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

SHA512
2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll
Filesize
21KB

MD5
ddd705024d05f97aeed1f922cfeacfc8

SHA1
a4e4a9eb1ec8df7c52da042f744114282da3df93

SHA256
e2513564cc808ecec627c00a73c3e5a1b6c7f915e24ff8b63d4221feeef75da2

SHA512
9abb07ed73ee63e862e2de05bab09a49b1b0aaeeaec9feb98ddab897f591be9a1a47c60e6395938a3bd1e4f715fe729723d2ec1b3a54b36caf98285910b000b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.bat
Filesize
23B

MD5
c07d1c42eac96e81e2879eec8c56b520

SHA1
a2b184b710312621aaebe1216d70d24ef886c3bb

SHA256
ff8cad853e93ef10ebd745c009a7dfe93dec2b48e94213ec68cf4b889efab0b1

SHA512
edee0ad73710c763bad3acfcdcdca8291e113be4657936514a7083483ff41d94a001f4d98a2d3b1ac5f60c323b3827b4593de3012fe7d046599a6f594622b839

Download Submit
C:\Users\Admin\AppData\Local\Temp\000.exe
Filesize
7.4MB

MD5
56053e245745cdda66956d146f75a066

SHA1
0b7755445144aeaaa6c5cb5c4210672088c52397

SHA256
36de38d35f591a9b429a5ddc7c73bde2f9ca613ad6d78e84343927125325441f

SHA512
59ae5d2702ca6f16a5d313a27c47220317dfa8112f8db4e4811bf5f82a1372636d30677e4c83356df8727cda87e48f4a0eeda4a92d82b7a4ba40c089f8bac9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\000.exe
Filesize
7.4MB

MD5
56053e245745cdda66956d146f75a066

SHA1
0b7755445144aeaaa6c5cb5c4210672088c52397

SHA256
36de38d35f591a9b429a5ddc7c73bde2f9ca613ad6d78e84343927125325441f

SHA512
59ae5d2702ca6f16a5d313a27c47220317dfa8112f8db4e4811bf5f82a1372636d30677e4c83356df8727cda87e48f4a0eeda4a92d82b7a4ba40c089f8bac9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd
Filesize
823B

MD5
84b1a5a529c1fcefce2b4ab1c84c90cb

SHA1
a00ea7622732b573000909eabb3981a435e61588

SHA256
c7e3f98061ce60f99799e94241b2b105dffcfdc08ff5bc02550167b049106578

SHA512
8dc813d35abc96975338dab09b93c62d3c81bdaf8a626b858eac7e6cd779d02393e92dda11b7e9a52a3806742979e28399060673f855022739077cf73aeb92fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host5.6ru.msi
Filesize
8.0MB

MD5
144a26a02fcf9c79497f26e0ab761b20

SHA1
4dd698a5d9293a0f48beb8b7790502c607862df3

SHA256
7b88af541fa9c063eb1e3ec01168e8e084902a97960ecbdf46a580c2cb85378b

SHA512
0ec99c1dfb118f6557394302a051a62ce754509efcdc57481b39ed754d693f8ab6f2b09c91bdeac6f3b77e8fa71890bc80188d05e6ebca179848228e6bcafc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll
Filesize
21KB

MD5
ddd705024d05f97aeed1f922cfeacfc8

SHA1
a4e4a9eb1ec8df7c52da042f744114282da3df93

SHA256
e2513564cc808ecec627c00a73c3e5a1b6c7f915e24ff8b63d4221feeef75da2

SHA512
9abb07ed73ee63e862e2de05bab09a49b1b0aaeeaec9feb98ddab897f591be9a1a47c60e6395938a3bd1e4f715fe729723d2ec1b3a54b36caf98285910b000b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS.exe
Filesize
7.3MB

MD5
de8d9009ed4fdd6b5cb57ea3673dd093

SHA1
e7a2d418b447334edaffd011dd9fe07a5f319904

SHA256
b250791e3b363131dbc88272d4a5b12a9b54960fab5d39232ce6523201a1750f

SHA512
88378de51c59eb263b06f8020be3d35b80a90799b39e577c57780009fa4c97c2711b0ead5238330088a3871861b0f2b8de6b0ef394ee3b7cef36fba226a44af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS.exe
Filesize
7.3MB

MD5
de8d9009ed4fdd6b5cb57ea3673dd093

SHA1
e7a2d418b447334edaffd011dd9fe07a5f319904

SHA256
b250791e3b363131dbc88272d4a5b12a9b54960fab5d39232ce6523201a1750f

SHA512
88378de51c59eb263b06f8020be3d35b80a90799b39e577c57780009fa4c97c2711b0ead5238330088a3871861b0f2b8de6b0ef394ee3b7cef36fba226a44af2

Download Submit
C:\Windows\Installer\MSI8B69.tmp
Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
Filesize
4.8MB

MD5
8ae7c08d0c3805092e59cd384da8b618

SHA1
d1e443a5226621e7d2ca48660d68985933ff8659

SHA256
03cccc0222706488a7da919bb6298067ba5e9ef854ecf8d1dc45ffadd392841c

SHA512
1b96509721d9606d1c6c00c385ee5136218ea683c038a666fc903cf13d26874b3ccd1891f627f65e765a74a5987d40ea6725fbf87e954a812638edfb59b3f1f7

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll
Filesize
21KB

MD5
ddd705024d05f97aeed1f922cfeacfc8

SHA1
a4e4a9eb1ec8df7c52da042f744114282da3df93

SHA256
e2513564cc808ecec627c00a73c3e5a1b6c7f915e24ff8b63d4221feeef75da2

SHA512
9abb07ed73ee63e862e2de05bab09a49b1b0aaeeaec9feb98ddab897f591be9a1a47c60e6395938a3bd1e4f715fe729723d2ec1b3a54b36caf98285910b000b3

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll
Filesize
21KB

MD5
ddd705024d05f97aeed1f922cfeacfc8

SHA1
a4e4a9eb1ec8df7c52da042f744114282da3df93

SHA256
e2513564cc808ecec627c00a73c3e5a1b6c7f915e24ff8b63d4221feeef75da2

SHA512
9abb07ed73ee63e862e2de05bab09a49b1b0aaeeaec9feb98ddab897f591be9a1a47c60e6395938a3bd1e4f715fe729723d2ec1b3a54b36caf98285910b000b3

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll
Filesize
21KB

MD5
ddd705024d05f97aeed1f922cfeacfc8

SHA1
a4e4a9eb1ec8df7c52da042f744114282da3df93

SHA256
e2513564cc808ecec627c00a73c3e5a1b6c7f915e24ff8b63d4221feeef75da2

SHA512
9abb07ed73ee63e862e2de05bab09a49b1b0aaeeaec9feb98ddab897f591be9a1a47c60e6395938a3bd1e4f715fe729723d2ec1b3a54b36caf98285910b000b3

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll
Filesize
21KB

MD5
ddd705024d05f97aeed1f922cfeacfc8

SHA1
a4e4a9eb1ec8df7c52da042f744114282da3df93

SHA256
e2513564cc808ecec627c00a73c3e5a1b6c7f915e24ff8b63d4221feeef75da2

SHA512
9abb07ed73ee63e862e2de05bab09a49b1b0aaeeaec9feb98ddab897f591be9a1a47c60e6395938a3bd1e4f715fe729723d2ec1b3a54b36caf98285910b000b3

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll
Filesize
21KB

MD5
ddd705024d05f97aeed1f922cfeacfc8

SHA1
a4e4a9eb1ec8df7c52da042f744114282da3df93

SHA256
e2513564cc808ecec627c00a73c3e5a1b6c7f915e24ff8b63d4221feeef75da2

SHA512
9abb07ed73ee63e862e2de05bab09a49b1b0aaeeaec9feb98ddab897f591be9a1a47c60e6395938a3bd1e4f715fe729723d2ec1b3a54b36caf98285910b000b3

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll
Filesize
21KB

MD5
ddd705024d05f97aeed1f922cfeacfc8

SHA1
a4e4a9eb1ec8df7c52da042f744114282da3df93

SHA256
e2513564cc808ecec627c00a73c3e5a1b6c7f915e24ff8b63d4221feeef75da2

SHA512
9abb07ed73ee63e862e2de05bab09a49b1b0aaeeaec9feb98ddab897f591be9a1a47c60e6395938a3bd1e4f715fe729723d2ec1b3a54b36caf98285910b000b3

Download Submit
\Users\Admin\AppData\Local\Temp\000.exe
Filesize
7.4MB

MD5
56053e245745cdda66956d146f75a066

SHA1
0b7755445144aeaaa6c5cb5c4210672088c52397

SHA256
36de38d35f591a9b429a5ddc7c73bde2f9ca613ad6d78e84343927125325441f

SHA512
59ae5d2702ca6f16a5d313a27c47220317dfa8112f8db4e4811bf5f82a1372636d30677e4c83356df8727cda87e48f4a0eeda4a92d82b7a4ba40c089f8bac9d6

Download Submit
\Users\Admin\AppData\Local\Temp\RMS.exe
Filesize
7.3MB

MD5
de8d9009ed4fdd6b5cb57ea3673dd093

SHA1
e7a2d418b447334edaffd011dd9fe07a5f319904

SHA256
b250791e3b363131dbc88272d4a5b12a9b54960fab5d39232ce6523201a1750f

SHA512
88378de51c59eb263b06f8020be3d35b80a90799b39e577c57780009fa4c97c2711b0ead5238330088a3871861b0f2b8de6b0ef394ee3b7cef36fba226a44af2

Download Submit
\Users\Admin\AppData\Local\Temp\RMS.exe
Filesize
7.3MB

MD5
de8d9009ed4fdd6b5cb57ea3673dd093

SHA1
e7a2d418b447334edaffd011dd9fe07a5f319904

SHA256
b250791e3b363131dbc88272d4a5b12a9b54960fab5d39232ce6523201a1750f

SHA512
88378de51c59eb263b06f8020be3d35b80a90799b39e577c57780009fa4c97c2711b0ead5238330088a3871861b0f2b8de6b0ef394ee3b7cef36fba226a44af2

Download Submit
\Users\Admin\AppData\Local\Temp\RMS.exe
Filesize
7.3MB

MD5
de8d9009ed4fdd6b5cb57ea3673dd093

SHA1
e7a2d418b447334edaffd011dd9fe07a5f319904

SHA256
b250791e3b363131dbc88272d4a5b12a9b54960fab5d39232ce6523201a1750f

SHA512
88378de51c59eb263b06f8020be3d35b80a90799b39e577c57780009fa4c97c2711b0ead5238330088a3871861b0f2b8de6b0ef394ee3b7cef36fba226a44af2

Download Submit
\Windows\Installer\MSI8B69.tmp
Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
memory/432-110-0x00000000744C0000-0x00000000744C7000-memory.dmp

Filesize
28KB

Download
memory/432-101-0x0000000000000000-mapping.dmp

Download
memory/560-85-0x0000000000000000-mapping.dmp

Download
memory/672-111-0x00000000744C0000-0x00000000744C7000-memory.dmp

Filesize
28KB

Download
memory/704-60-0x0000000000000000-mapping.dmp

Download
memory/900-95-0x00000000744C0000-0x00000000744C7000-memory.dmp

Filesize
28KB

Download
memory/900-89-0x0000000000000000-mapping.dmp

Download
memory/900-94-0x00000000744C0000-0x00000000744C7000-memory.dmp

Filesize
28KB

Download
memory/956-74-0x0000000000000000-mapping.dmp

Download
memory/1056-81-0x0000000000000000-mapping.dmp

Download
memory/1180-55-0x0000000000000000-mapping.dmp

Download
memory/1200-79-0x0000000000000000-mapping.dmp

Download
memory/1628-105-0x0000000000000000-mapping.dmp

Download
memory/1716-76-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1848-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1924-96-0x0000000000000000-mapping.dmp

Download
memory/1924-100-0x00000000744D0000-0x00000000744D7000-memory.dmp

Filesize
28KB

Download
memory/1952-129-0x0000000000000000-mapping.dmp

Download
memory/1960-66-0x0000000000000000-mapping.dmp

Download
memory/1968-125-0x0000000000000000-mapping.dmp

Download
memory/1992-77-0x0000000000000000-mapping.dmp

Download
memory/2032-70-0x0000000000000000-mapping.dmp

Download