rms | e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2

Analysis

max time kernel
150s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe
Size

7.2MB
MD5

faf5021dc3a27579ea50efced8a4f137
SHA1

c06cc6593ac3b29af35566d96d649db45001db8e
SHA256

e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2
SHA512

01b495962b976c366b92381fd8c7031df446663b6c06f4f251a9c17017ffb00cbb1f08de55423a6aa6219454f472d2ef8a6a8eb245ceff690cd70540636b3eb4
SSDEEP

196608:DdbSqYn+fJi3qpm6JrfuDG4RRvLjqYSMoO4dsjkS2YfGo/v:DdSqYn+xi3qpmUOL4uj1tfGo/v

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1188	msiexec.exe
4	1188	msiexec.exe
6	1188	msiexec.exe

Executes dropped EXE 6 IoCs

pid	Process
1468	rutserv.exe
1484	rutserv.exe
688	rutserv.exe
1672	rutserv.exe
272	rfusclient.exe
1052	rfusclient.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1368	attrib.exe

Loads dropped DLL 7 IoCs

pid	Process
1992	MsiExec.exe
1468	rutserv.exe
1484	rutserv.exe
688	rutserv.exe
1672	rutserv.exe
1672	rutserv.exe
1052	rfusclient.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Microsoft.VC90.CRT.manifest	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host	attrib.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI94EB.tmp	msiexec.exe
File created	C:\Windows\Installer\6c4f6b.ipi	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\6c4f69.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\6c4f6d.msi	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\6c4f69.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID381.tmp	msiexec.exe
File created	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\6c4f6b.ipi	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1948	sc.exe
1840	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1376	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\AuthorizedLUAApp = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Language = "1049"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\AdvertiseFlags = "388"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\InstanceType = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media\1 = "DISK1;1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Net\1 = "C:\\Users\\DimaV\\AppData\\Local\\Temp\\7ZipSfx.004\\"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\PackageCode = "F23A46DC50B831949B88AB866205389B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Version = "100602960"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Version = "100602960"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Clients = 3a0000000000	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Net	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Assignment = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\468760457E0CBD740A1C6D8C47ECB68D\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\468760457E0CBD740A1C6D8C47ECB68D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\468760457E0CBD740A1C6D8C47ECB68D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\ProductIcon = "C:\\Windows\\Installer\\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\\ARPPRODUCTICON.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\PackageName = "rms.host5.5ru_mod3.msi"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\ProductIcon = "C:\\Windows\\Installer\\{54067864-C0E7-47DB-A0C1-D6C874CE6BD8}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 9.0.40429.4146"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\DeploymentFlags = "3"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\Media\DiskPrompt = "[1]"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\Language = "1049"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\PackageName = "rms.host5.5ru_mod3.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\PackageCode = "F23A46DC50B831949B88AB866205389B"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\468760457E0CBD740A1C6D8C47ECB68D\SourceList\LastUsedSource = "n;1;C:\\Users\\DimaV\\AppData\\Local\\Temp\\7ZipSfx.004\\"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1608	regedit.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1720	PING.EXE
960	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1188	msiexec.exe
1188	msiexec.exe
1468	rutserv.exe
1468	rutserv.exe
1468	rutserv.exe
1468	rutserv.exe
1484	rutserv.exe
1484	rutserv.exe
688	rutserv.exe
688	rutserv.exe
1672	rutserv.exe
1672	rutserv.exe
1672	rutserv.exe
1672	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeShutdownPrivilege	592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	1188	msiexec.exe
Token: SeTakeOwnershipPrivilege	1188	msiexec.exe
Token: SeSecurityPrivilege	1188	msiexec.exe
Token: SeCreateTokenPrivilege	592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	592	msiexec.exe
Token: SeLockMemoryPrivilege	592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	592	msiexec.exe
Token: SeMachineAccountPrivilege	592	msiexec.exe
Token: SeTcbPrivilege	592	msiexec.exe
Token: SeSecurityPrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeLoadDriverPrivilege	592	msiexec.exe
Token: SeSystemProfilePrivilege	592	msiexec.exe
Token: SeSystemtimePrivilege	592	msiexec.exe
Token: SeProfSingleProcessPrivilege	592	msiexec.exe
Token: SeIncBasePriorityPrivilege	592	msiexec.exe
Token: SeCreatePagefilePrivilege	592	msiexec.exe
Token: SeCreatePermanentPrivilege	592	msiexec.exe
Token: SeBackupPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeShutdownPrivilege	592	msiexec.exe
Token: SeDebugPrivilege	592	msiexec.exe
Token: SeAuditPrivilege	592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	592	msiexec.exe
Token: SeChangeNotifyPrivilege	592	msiexec.exe
Token: SeRemoteShutdownPrivilege	592	msiexec.exe
Token: SeUndockPrivilege	592	msiexec.exe
Token: SeSyncAgentPrivilege	592	msiexec.exe
Token: SeEnableDelegationPrivilege	592	msiexec.exe
Token: SeManageVolumePrivilege	592	msiexec.exe
Token: SeImpersonatePrivilege	592	msiexec.exe
Token: SeCreateGlobalPrivilege	592	msiexec.exe
Token: SeShutdownPrivilege	1588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1588	msiexec.exe
Token: SeCreateTokenPrivilege	1588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1588	msiexec.exe
Token: SeLockMemoryPrivilege	1588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1588	msiexec.exe
Token: SeMachineAccountPrivilege	1588	msiexec.exe
Token: SeTcbPrivilege	1588	msiexec.exe
Token: SeSecurityPrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeLoadDriverPrivilege	1588	msiexec.exe
Token: SeSystemProfilePrivilege	1588	msiexec.exe
Token: SeSystemtimePrivilege	1588	msiexec.exe
Token: SeProfSingleProcessPrivilege	1588	msiexec.exe
Token: SeIncBasePriorityPrivilege	1588	msiexec.exe
Token: SeCreatePagefilePrivilege	1588	msiexec.exe
Token: SeCreatePermanentPrivilege	1588	msiexec.exe
Token: SeBackupPrivilege	1588	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeShutdownPrivilege	1588	msiexec.exe
Token: SeDebugPrivilege	1588	msiexec.exe
Token: SeAuditPrivilege	1588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1588	msiexec.exe
Token: SeChangeNotifyPrivilege	1588	msiexec.exe
Token: SeRemoteShutdownPrivilege	1588	msiexec.exe
Token: SeUndockPrivilege	1588	msiexec.exe
Token: SeSyncAgentPrivilege	1588	msiexec.exe
Token: SeEnableDelegationPrivilege	1588	msiexec.exe
Token: SeManageVolumePrivilege	1588	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 996	872	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	27
PID 872 wrote to memory of 996	872	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	27
PID 872 wrote to memory of 996	872	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	27
PID 872 wrote to memory of 996	872	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	27
PID 872 wrote to memory of 996	872	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	27
PID 872 wrote to memory of 996	872	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	27
PID 872 wrote to memory of 996	872	e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe	27
PID 996 wrote to memory of 1756	996	cmd.exe	29
PID 996 wrote to memory of 1756	996	cmd.exe	29
PID 996 wrote to memory of 1756	996	cmd.exe	29
PID 996 wrote to memory of 1756	996	cmd.exe	29
PID 996 wrote to memory of 1376	996	cmd.exe	30
PID 996 wrote to memory of 1376	996	cmd.exe	30
PID 996 wrote to memory of 1376	996	cmd.exe	30
PID 996 wrote to memory of 1376	996	cmd.exe	30
PID 996 wrote to memory of 588	996	cmd.exe	32
PID 996 wrote to memory of 588	996	cmd.exe	32
PID 996 wrote to memory of 588	996	cmd.exe	32
PID 996 wrote to memory of 588	996	cmd.exe	32
PID 996 wrote to memory of 592	996	cmd.exe	33
PID 996 wrote to memory of 592	996	cmd.exe	33
PID 996 wrote to memory of 592	996	cmd.exe	33
PID 996 wrote to memory of 592	996	cmd.exe	33
PID 996 wrote to memory of 592	996	cmd.exe	33
PID 996 wrote to memory of 592	996	cmd.exe	33
PID 996 wrote to memory of 592	996	cmd.exe	33
PID 996 wrote to memory of 1588	996	cmd.exe	35
PID 996 wrote to memory of 1588	996	cmd.exe	35
PID 996 wrote to memory of 1588	996	cmd.exe	35
PID 996 wrote to memory of 1588	996	cmd.exe	35
PID 996 wrote to memory of 1588	996	cmd.exe	35
PID 996 wrote to memory of 1588	996	cmd.exe	35
PID 996 wrote to memory of 1588	996	cmd.exe	35
PID 996 wrote to memory of 1888	996	cmd.exe	36
PID 996 wrote to memory of 1888	996	cmd.exe	36
PID 996 wrote to memory of 1888	996	cmd.exe	36
PID 996 wrote to memory of 1888	996	cmd.exe	36
PID 996 wrote to memory of 1888	996	cmd.exe	36
PID 996 wrote to memory of 1888	996	cmd.exe	36
PID 996 wrote to memory of 1888	996	cmd.exe	36
PID 996 wrote to memory of 672	996	cmd.exe	37
PID 996 wrote to memory of 672	996	cmd.exe	37
PID 996 wrote to memory of 672	996	cmd.exe	37
PID 996 wrote to memory of 672	996	cmd.exe	37
PID 996 wrote to memory of 672	996	cmd.exe	37
PID 996 wrote to memory of 672	996	cmd.exe	37
PID 996 wrote to memory of 672	996	cmd.exe	37
PID 996 wrote to memory of 1068	996	cmd.exe	38
PID 996 wrote to memory of 1068	996	cmd.exe	38
PID 996 wrote to memory of 1068	996	cmd.exe	38
PID 996 wrote to memory of 1068	996	cmd.exe	38
PID 996 wrote to memory of 1068	996	cmd.exe	38
PID 996 wrote to memory of 1068	996	cmd.exe	38
PID 996 wrote to memory of 1068	996	cmd.exe	38
PID 996 wrote to memory of 2032	996	cmd.exe	39
PID 996 wrote to memory of 2032	996	cmd.exe	39
PID 996 wrote to memory of 2032	996	cmd.exe	39
PID 996 wrote to memory of 2032	996	cmd.exe	39
PID 996 wrote to memory of 2032	996	cmd.exe	39
PID 996 wrote to memory of 2032	996	cmd.exe	39
PID 996 wrote to memory of 2032	996	cmd.exe	39
PID 996 wrote to memory of 544	996	cmd.exe	40
PID 996 wrote to memory of 544	996	cmd.exe	40
PID 996 wrote to memory of 544	996	cmd.exe	40

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe
"C:\Users\Admin\AppData\Local\Temp\e721a8ec9686817c850aefe797c801b614e859d2492e6dc2a6068f86cc1ff5a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:588
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress
    3⤵
    PID:672
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {B04BFE4C-7F11-49D8-ADFE-867939D886FA} /qn REBOOT=ReallySuppress
    3⤵
    PID:544
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {2B0A2EED-E2C8-40CE-A701-95B211A39B34} /qn REBOOT=ReallySuppress
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {11A90858-40BB-4858-A2DA-CA6495B5E907} /qn REBOOT=ReallySuppress
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {CD64A32F-8B05-4913-B988-BA68265083B9} /qn REBOOT=ReallySuppress
    3⤵
    PID:960
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1720
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /I "rms.host5.5ru_mod3.msi" /qn
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Program Files (x86)\Remote Manipulator System - Host"
    3⤵
    - Sets file to hidden
    - Drops file in Program Files directory
    - Views/modifies file attributes
    PID:1368
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s 123.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1608
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:960
- - C:\Windows\SysWOW64\sc.exe
    sc config "RManService" start= auto displayname= "Windows Media"
    3⤵
    - Launches sc.exe
    PID:1948
- - C:\Windows\SysWOW64\sc.exe
    sc description "RManService" "Authorization and authentication for signed Windows Media files"
    3⤵
    - Launches sc.exe
    PID:1840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 34ADDCBA32CE152E819FA4A5A76E9959
  2⤵
  - Loads dropped DLL
  PID:1992
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:688

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1672
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
12c4dc4bd3c868922046cc216d00348e

SHA1
64d17fe491449f4a50b6109010054309fd9890b3

SHA256
2265c43d771271d0ffa1ae5c0f35092296f6937c310daf10092ff3a3f5a1b3e1

SHA512
df3649709f0ccef5ea006e961699a5c7afcce27506a51a16dceaef58f538284a1eb3ad5c98b60d0c4803b718e576bb6f7092277deac97cc9f6039ec90da8eb6c

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
941d1b63a94549cbe5224a4e722dd4d5

SHA1
bab121f4c3528af35456bac20fbd296112624260

SHA256
ce1cd24a782932e1c28c030da741a21729a3c5930d8358079b0f91747dd0d832

SHA512
b6bf11fa34ceab70e3f3ce48a8a6dcbe5cfa859db4a03ca18cc6309773a32aff9db111d2d2ab5bb1ce974322eaf71ea81cfaa3911d6b8085a82823a0aa1d30ee

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
957KB

MD5
897266223a905afdc1225ff4e621c868

SHA1
6a5130154430284997dc76af8b145ab90b562110

SHA256
be991f825a2e6939f776ebc6d80d512a33cbbe60de2fcc32820c64f1d6b13c07

SHA512
1ad1386e71e036e66f3b6fdece5a376e7309ceb0f6eb73c3a8203b0825c45aa1f74e1f722b508cf3f73456e7d808853d37bcef79bfe8476fc16a4e6af2e9202b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
04813609224c0c68d641735e188c59fd

SHA1
79907d216ab0a25ab4220bb8eb77c327a896f161

SHA256
1266bdc4a11193df9e3e93f6ceea5dd83f75a62681de5e0a361bf850a6810d60

SHA512
d3eb33055023d467002dbe84ab5782dde60cead8abaae81679dee086d5ef9944b881cbdaeeaa8f8081b56a50cfb5735d52c4f0ce71ffdec847a03fa5957162e5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll

Filesize
240KB

MD5
50bad879226bcbbf02d5cf2dcbcfbf61

SHA1
be262f40212bd5a227d19fdbbd4580c200c31e4b

SHA256
49295f414c5405a4f180b319cfed471871471776e4853baaf117a5185ec0d90d

SHA512
476df817a9c9e23423080afcac899b83fc8f532e4fe62bea2feeb988cba538f1f710e2fb61d81d6c283c428d772922c7a6ecb1684ac68ca8f267415105a60116

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
2721aa44e21659358e8a25c0f13ce02b

SHA1
91589226e6fd81675e013c5b7aad06e5f7903e61

SHA256
74ca24097bc69145af11dc6a0580665d4766aa78c7633f4084d16d7b4fecc5fb

SHA512
fb1f06e18b369e5df0dedf20bf5bcaae4f6d93bf8a4789db2d05b7c895fdeff2dc086089cca67fa7d352563b491606a547c37959db623b071e90a1c876d6cc2a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll

Filesize
1.6MB

MD5
7916c52814b561215c01795bb71bb884

SHA1
0b3341642559efc8233561f81ec80a3983b9fc2d

SHA256
7d3c4c52684afff597dc4c132c464b651cb94aad039458b674d69cf76c240e64

SHA512
fc0a1d717c636639be6835d93bdde8019799842e11a055bedeb468f57cfaabf5582a65e1770841486550e06b1b9ba020ff5fad14b7838fe70afefb37933f1a8f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll

Filesize
556KB

MD5
99c5cb416cb1f25f24a83623ed6a6a09

SHA1
0dbf63dea76be72390c0397cb047a83914e0f7c8

SHA256
9f47416ca37a864a31d3dc997677f8739433f294e83d0621c48eb9093c2e4515

SHA512
8bd1b14a690aa15c07ead90edacbcc4e8e3f68e0bfd6191d42519b9542786df35a66ed37e7af9cf9ff14d55a5622c29a88fee2a5bde889740a3ce6160d5256ac

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll

Filesize
638KB

MD5
bfeac23ced1f4ac8254b5cd1a2bf4dda

SHA1
fd450e3bc758d984f68f0ae5963809d7d80645b6

SHA256
420d298de132941eacec6718039a5f42eaec498399c482e2e0ff4dad76a09608

SHA512
1f4afc2eb72f51b9e600fbbf0d4408728e29b0c6ca45801605801ead0a287873ebbfaaae10b027f1a287c82232d1e7a3a7e7435b7f6a39223c3f7b23d96ed272

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
4.8MB

MD5
dd15ef60a54488a40afd0aecb5e5611c

SHA1
f1715f6b88ea1ef2cb7f7429e63aa42955131f31

SHA256
27cb81d070de33484994f2f0df6dd67462726726e11435c5ce4cdf6435b9bb94

SHA512
0b8c8f1fe5ee9221f08f4d2e264107f834333717df95d136a3a78248dd619637eefa440474488affaa2d1efa2253877666ecab689a8044b3a5bd68f5a10459d8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
4.8MB

MD5
dd15ef60a54488a40afd0aecb5e5611c

SHA1
f1715f6b88ea1ef2cb7f7429e63aa42955131f31

SHA256
27cb81d070de33484994f2f0df6dd67462726726e11435c5ce4cdf6435b9bb94

SHA512
0b8c8f1fe5ee9221f08f4d2e264107f834333717df95d136a3a78248dd619637eefa440474488affaa2d1efa2253877666ecab689a8044b3a5bd68f5a10459d8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
4.8MB

MD5
dd15ef60a54488a40afd0aecb5e5611c

SHA1
f1715f6b88ea1ef2cb7f7429e63aa42955131f31

SHA256
27cb81d070de33484994f2f0df6dd67462726726e11435c5ce4cdf6435b9bb94

SHA512
0b8c8f1fe5ee9221f08f4d2e264107f834333717df95d136a3a78248dd619637eefa440474488affaa2d1efa2253877666ecab689a8044b3a5bd68f5a10459d8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
3d49b75df140bd962f7f83b7f3124607

SHA1
059d1b9e4a2128b5a61ea68ef14ab406aadb54b2

SHA256
e41e6b7e3bf9c70877e58bdf3f2d672931529de6efefcda8d45e72bb8ac5e6b6

SHA512
c17e1533793aa53064c8ec7c458a26e4470f910014056ab275896815063c259be13d7260fdbedf824f301dad0bb8340eb1dc39b684f52c5c0a8e544d2cf89c58

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
409KB

MD5
1525887bc6978c0b54fec544877319e6

SHA1
7820fcd66e6fbf717d78a2a4df5b0367923dc431

SHA256
a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

SHA512
56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
691KB

MD5
c8fd8c4bc131d59606b08920b2fda91c

SHA1
df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

SHA256
6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

SHA512
2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\123.reg

Filesize
3KB

MD5
f131211fc57465b0b3b14c4faf3c62df

SHA1
a936052ce647398298d316b82bb5afbd75ce28ea

SHA256
99a438b20529bb531dbb53e1a0dad3bf3dfa63eb599f7a665bd386d3a442bace

SHA512
3ca3f575d708b87ee0e37d9d0fe96debaf8ef7645496b26bf744cbcdeaae5a7c2f9666d9040b88c1ea1896926dab779b9064bffb28f5ab0dfdfa0c9d166aa9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
1KB

MD5
d50d5abf61130986c22c1434c52dd303

SHA1
0ad25d3bc9d3d378d4c003213d1b2dd6b55e019b

SHA256
809a84544e09da151e9efaa1217276bc7c86b5602986f6ddec80fb800040e45d

SHA512
6fb570cb04819ce525f72d0fdd4472bbc8553a5649f3a7a0e0812ba4a2595af45f7892fb7877f8ae4ce26eafd8d64a9faf7b733af5837ac9dff7af1e4dc691a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host5.5ru_mod3.msi

Filesize
7.9MB

MD5
3f7771670a48eb758ca4782dcbdcece7

SHA1
2b591362464c3c1b060fed47ac5d2e07d8bdd61f

SHA256
674198f6bf6a5a840a81ed6957c1ddfa589aae99550d9ed2eef46f3bcf919545

SHA512
4e8c69fd45407b4c167c5b3ba61e0b1d535c6078c3a656d1237777ce117b5154d6cc4fc715a088dd21f563225e545631a88b0057f9c3a7487ee53fef323b3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
C:\Windows\Installer\MSI94EB.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
4.8MB

MD5
dd15ef60a54488a40afd0aecb5e5611c

SHA1
f1715f6b88ea1ef2cb7f7429e63aa42955131f31

SHA256
27cb81d070de33484994f2f0df6dd67462726726e11435c5ce4cdf6435b9bb94

SHA512
0b8c8f1fe5ee9221f08f4d2e264107f834333717df95d136a3a78248dd619637eefa440474488affaa2d1efa2253877666ecab689a8044b3a5bd68f5a10459d8

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
f13a5e178099344fe21141c4e37fd94e

SHA1
1c44f8c9639edda4eadb8dc3b3f282f7d918865c

SHA256
ebd153a130c3d85b0539e06cf3830cc8488ea84ad360c469ebab86b18153f9bb

SHA512
b18458cf9d146b5c5b0dd1d3ed35acbb8e7b45e2c107b9bf2f08515a383bbab2399a1e5ac039ca4bd6d62b6371655c028610f9d123cae22d36eb4bfee7468b99

Download Submit
\Windows\Installer\MSI94EB.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
memory/688-126-0x00000000745D0000-0x00000000745D7000-memory.dmp

Filesize
28KB

Download
memory/872-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1052-135-0x00000000745D0000-0x00000000745D7000-memory.dmp

Filesize
28KB

Download
memory/1188-63-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1468-95-0x00000000745D0000-0x00000000745D7000-memory.dmp

Filesize
28KB

Download
memory/1484-101-0x00000000745E0000-0x00000000745E7000-memory.dmp

Filesize
28KB

Download
memory/1484-100-0x00000000745E0000-0x00000000745E7000-memory.dmp

Filesize
28KB

Download