rms | a785b6bac833f0ebff7132dcd4e93f63db922fdebf6d572205def42925bc56b0

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2023 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

discord.exe
Size

108.2MB
MD5

73e882ed6e9604978cbc396bd00a11e5
SHA1

f0524a000c4e1570a3c4fdfd426decb813b28401
SHA256

a785b6bac833f0ebff7132dcd4e93f63db922fdebf6d572205def42925bc56b0
SHA512

7e11cd2bafb4aa1107468162edaf211624852865230dac214a497067b5efea9c783271852afc29bec2a6e62cdda87108fe3676d723d810aee14e38ea946105ee
SSDEEP

3145728:gvHIQcGy6x67p5Q/xXFcHta2A6wFxjp7JD41E:gvpfVs76cNa2A6wXttk1E

Score

10^/10

rms discovery persistence rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow	pid	Process
38	4116	msiexec.exe
40	4116	msiexec.exe
42	4116	msiexec.exe

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SET414A.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET414A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\lockscr.sys	DrvInst.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

discord.exeDiscord.exerfusclient.exerfusclient.exerfusclient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation	discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 13 IoCs

Processes:

Discord.exeDiscordSetup.exeUpdate.exerfusclient.exerutserv.exerutserv.exedrvinstaller64.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	Process
3660	Discord.exe
4908	DiscordSetup.exe
1376	Update.exe
3920	rfusclient.exe
1740	rutserv.exe
4716	rutserv.exe
3008	drvinstaller64.exe
4408	rutserv.exe
4688	rutserv.exe
2004	rutserv.exe
1640	rfusclient.exe
3120	rfusclient.exe
4764	rfusclient.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	Process
1236	MsiExec.exe
1740	rutserv.exe
1740	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4408	rutserv.exe
4408	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

dxdiag.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000800000002327f-6.dat	upx
behavioral2/files/0x000800000002327f-15.dat	upx
behavioral2/files/0x000800000002327f-14.dat	upx
behavioral2/memory/3660-21-0x0000000000400000-0x000000000283E000-memory.dmp	upx
behavioral2/memory/3660-61-0x0000000000400000-0x000000000283E000-memory.dmp	upx
behavioral2/memory/3660-427-0x0000000000400000-0x000000000283E000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in System32 directory 41 IoCs

Processes:

DrvInst.exerutserv.exedxdiag.exedrvinstaller64.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\lockscr.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	dxdiag.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\SET3A57.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\lockscr.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.PNF	drvinstaller64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\SET3A16.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\SET3A57.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665	rutserv.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache\fe8d97be6d92aa78\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val	dxdiag.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\D3DSCache	dxdiag.exe
File created	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\SET3A16.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\lockscr.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\SET3A56.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\SET3A56.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exerutserv.exe

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.cat	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.sys	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\drvinstaller32.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2023-08.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\rppd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows10\lockscr.cat	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.cat	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\Windows8\lockscr.sys	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows8\lockscr.sys	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x86\Windows10\lockscr.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	msiexec.exe

Drops file in Windows directory 25 IoCs

Processes:

msiexec.exedrvinstaller64.exeDrvInst.exesvchost.exeDrvInst.exe

description	ioc	Process
File created	C:\Windows\Installer\e57d2c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d2c1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e57d2c5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	drvinstaller64.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI106.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Installer\MSID9A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{E5803A4B-5A4B-44F6-A759-882FB6AD7982}	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

drvinstaller64.exeDrvInst.exedxdiag.exeDrvInst.exesvchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	drvinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	drvinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	drvinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	drvinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	drvinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	drvinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	drvinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	drvinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	drvinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	drvinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	drvinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	drvinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	drvinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	drvinstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	drvinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	drvinstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

drvinstaller64.exedxdiag.exeDrvInst.exerutserv.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties	dxdiag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\1PCM\AcmId = "1"	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\85MPEG Layer-3\CLSID = "{6A08CF80-0E18-11CF-A24D-0020AFD79767}"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectX Diagnostic Tool	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device\MidiOutId = "4294967295"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	dxdiag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In VideoCapture = "1"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\2Microsoft ADPCM	dxdiag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\wave:{380DD820-63D6-4A8A-B001-59870EF913FD}\ClassManagerFlags = "2"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectSound = "3"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	dxdiag.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device\FilterData = 02000000000080000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000006d69647300001000800000aa00389b7100000000000000000000000000000000	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dxdiag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectSound = "2"	dxdiag.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\wave:{380DD820-63D6-4A8A-B001-59870EF913FD}\FilterData = 02000000000020000000000000000000	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\wave:{380DD820-63D6-4A8A-B001-59870EF913FD}\EndpointId = "{0.0.1.00000000}.{380dd820-63d6-4a8a-b001-59870ef913fd}"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\85MPEG Layer-3\FriendlyName = "MPEG Layer-3"	dxdiag.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\DirectSound:{7706A9D2-36E9-4710-A2DE-71F6D5AFB479}\FilterData = 0200000000002000010000000000000030706933020000000000000013000000000000000000000030747933000000005801000068010000317479330000000058010000780100003274793300000000580100008801000033747933000000005801000098010000347479330000000058010000a8010000357479330000000058010000b8010000367479330000000058010000c8010000377479330000000058010000d8010000387479330000000058010000e8010000397479330000000058010000f80100003a7479330000000058010000080200003b7479330000000058010000180200003c7479330000000058010000280200003d7479330000000058010000380200003e7479330000000058010000480200003f7479330000000058010000580200004074793300000000580100006802000041747933000000005801000078020000427479330000000058010000880200006175647300001000800000aa00389b710100000000001000800000aa00389b710900000000001000800000aa00389b710300000000001000800000aa00389b714902000000001000800000aa00389b714002000000001000800000aa00389b714102000000001000800000aa00389b7103000000ea0c1000800000aa00389b7104000000ea0c1000800000aa00389b7105000000ea0c1000800000aa00389b7106000000ea0c1000800000aa00389b7108000000ea0c1000800000aa00389b7109000000ea0c1000800000aa00389b710a000000ea0c1000800000aa00389b710b000000ea0c1000800000aa00389b710c000000ea0c1000800000aa00389b710d000000ea0c1000800000aa00389b710800000000001000800000aa00389b719200000000001000800000aa00389b716401000000001000800000aa00389b71	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\wave:{7706A9D2-36E9-4710-A2DE-71F6D5AFB479}\FriendlyName = "Speakers (High Definition Audio Device)"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	drvinstaller64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\7CCITT u-Law\AcmId = "7"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectInput\DXDIAG.EXE214A433E00042800	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Microsoft GS Wavetable Synth	dxdiag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\wave:{7706A9D2-36E9-4710-A2DE-71F6D5AFB479}\WaveOutId = "0"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default WaveOut Device	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In Media Foundation = "1"	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\DirectInput\MostRecentApplication\Name = "DXDIAG.EXE"	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\49GSM 6.10\CLSID = "{6A08CF80-0E18-11CF-A24D-0020AFD79767}"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	drvinstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	dxdiag.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\1PCM\FriendlyName = "PCM"	dxdiag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{33D9A761-90C8-11D0-BD43-00A0C911CE86}\85MPEG Layer-3\AcmId = "85"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	drvinstaller64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	dxdiag.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe

Modifies registry class 62 IoCs

Processes:

msiexec.exedxdiag.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RMS_{852BA1D1-9A15-46DB-9BB9-7DCE03647FA5}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RMS_{852BA1D1-9A15-46DB-9BB9-7DCE03647FA5}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\PackageCode = "B39B0F2EBB537BF46A58ECBDE554B477"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\AuthorizedLUAApp = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\PackageName = "host.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\ProductIcon = "C:\\Windows\\Installer\\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728\monitor_driver	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\B4A3085EB4A56F447A9588F26BDA9728	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-18\{9B9A3537-891B-4C60-B26F-1A558725CB41}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Net\2 = "C:\\ProgramData\\Remote Manipulator System\\msi\\69110_{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4A3085EB4A56F447A9588F26BDA9728	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-18\{033589B6-A1F4-4818-8A90-799E7E383E36}	dxdiag.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4A3085EB4A56F447A9588F26BDA9728\Version = "117436076"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rutserv.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

Discord.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exedxdiag.exe

pid	Process
3660	Discord.exe
3660	Discord.exe
3660	Discord.exe
3660	Discord.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4408	rutserv.exe
4408	rutserv.exe
4408	rutserv.exe
4408	rutserv.exe
4408	rutserv.exe
4408	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
1640	rfusclient.exe
1640	rfusclient.exe
4808	dxdiag.exe
4808	dxdiag.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid	Process
4764	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	4924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4924	msiexec.exe
Token: SeSecurityPrivilege	4116	msiexec.exe
Token: SeCreateTokenPrivilege	4924	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4924	msiexec.exe
Token: SeLockMemoryPrivilege	4924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4924	msiexec.exe
Token: SeMachineAccountPrivilege	4924	msiexec.exe
Token: SeTcbPrivilege	4924	msiexec.exe
Token: SeSecurityPrivilege	4924	msiexec.exe
Token: SeTakeOwnershipPrivilege	4924	msiexec.exe
Token: SeLoadDriverPrivilege	4924	msiexec.exe
Token: SeSystemProfilePrivilege	4924	msiexec.exe
Token: SeSystemtimePrivilege	4924	msiexec.exe
Token: SeProfSingleProcessPrivilege	4924	msiexec.exe
Token: SeIncBasePriorityPrivilege	4924	msiexec.exe
Token: SeCreatePagefilePrivilege	4924	msiexec.exe
Token: SeCreatePermanentPrivilege	4924	msiexec.exe
Token: SeBackupPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4924	msiexec.exe
Token: SeShutdownPrivilege	4924	msiexec.exe
Token: SeDebugPrivilege	4924	msiexec.exe
Token: SeAuditPrivilege	4924	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4924	msiexec.exe
Token: SeChangeNotifyPrivilege	4924	msiexec.exe
Token: SeRemoteShutdownPrivilege	4924	msiexec.exe
Token: SeUndockPrivilege	4924	msiexec.exe
Token: SeSyncAgentPrivilege	4924	msiexec.exe
Token: SeEnableDelegationPrivilege	4924	msiexec.exe
Token: SeManageVolumePrivilege	4924	msiexec.exe
Token: SeImpersonatePrivilege	4924	msiexec.exe
Token: SeCreateGlobalPrivilege	4924	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe
Token: SeRestorePrivilege	4116	msiexec.exe
Token: SeTakeOwnershipPrivilege	4116	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Update.exerfusclient.exe

pid	Process
1376	Update.exe
3120	rfusclient.exe
3120	rfusclient.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

rfusclient.exe

pid	Process
3120	rfusclient.exe
3120	rfusclient.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

Discord.exerutserv.exerutserv.exedrvinstaller64.exerutserv.exerutserv.exerutserv.exedxdiag.exe

pid	Process
3660	Discord.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
1740	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
3008	drvinstaller64.exe
4408	rutserv.exe
4408	rutserv.exe
4408	rutserv.exe
4408	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
4688	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
2004	rutserv.exe
4808	dxdiag.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

discord.exeDiscordSetup.exeDiscord.exemsiexec.exerutserv.exesvchost.exerutserv.exerfusclient.exe

description	pid	Process	procid_target
PID 4476 wrote to memory of 3908	4476	discord.exe	92
PID 4476 wrote to memory of 3908	4476	discord.exe	92
PID 4476 wrote to memory of 3908	4476	discord.exe	92
PID 4476 wrote to memory of 3660	4476	discord.exe	94
PID 4476 wrote to memory of 3660	4476	discord.exe	94
PID 4476 wrote to memory of 3660	4476	discord.exe	94
PID 4476 wrote to memory of 4908	4476	discord.exe	97
PID 4476 wrote to memory of 4908	4476	discord.exe	97
PID 4476 wrote to memory of 4908	4476	discord.exe	97
PID 4908 wrote to memory of 1376	4908	DiscordSetup.exe	101
PID 4908 wrote to memory of 1376	4908	DiscordSetup.exe	101
PID 4908 wrote to memory of 1376	4908	DiscordSetup.exe	101
PID 3660 wrote to memory of 4924	3660	Discord.exe	102
PID 3660 wrote to memory of 4924	3660	Discord.exe	102
PID 3660 wrote to memory of 4924	3660	Discord.exe	102
PID 4116 wrote to memory of 1236	4116	msiexec.exe	104
PID 4116 wrote to memory of 1236	4116	msiexec.exe	104
PID 4116 wrote to memory of 1236	4116	msiexec.exe	104
PID 4116 wrote to memory of 3920	4116	msiexec.exe	107
PID 4116 wrote to memory of 3920	4116	msiexec.exe	107
PID 4116 wrote to memory of 3920	4116	msiexec.exe	107
PID 4116 wrote to memory of 1740	4116	msiexec.exe	109
PID 4116 wrote to memory of 1740	4116	msiexec.exe	109
PID 4116 wrote to memory of 1740	4116	msiexec.exe	109
PID 4116 wrote to memory of 4716	4116	msiexec.exe	110
PID 4116 wrote to memory of 4716	4116	msiexec.exe	110
PID 4116 wrote to memory of 4716	4116	msiexec.exe	110
PID 4716 wrote to memory of 3008	4716	rutserv.exe	111
PID 4716 wrote to memory of 3008	4716	rutserv.exe	111
PID 4712 wrote to memory of 4308	4712	svchost.exe	113
PID 4712 wrote to memory of 4308	4712	svchost.exe	113
PID 4712 wrote to memory of 2952	4712	svchost.exe	114
PID 4712 wrote to memory of 2952	4712	svchost.exe	114
PID 4116 wrote to memory of 4408	4116	msiexec.exe	117
PID 4116 wrote to memory of 4408	4116	msiexec.exe	117
PID 4116 wrote to memory of 4408	4116	msiexec.exe	117
PID 4116 wrote to memory of 4688	4116	msiexec.exe	119
PID 4116 wrote to memory of 4688	4116	msiexec.exe	119
PID 4116 wrote to memory of 4688	4116	msiexec.exe	119
PID 2004 wrote to memory of 1640	2004	rutserv.exe	123
PID 2004 wrote to memory of 1640	2004	rutserv.exe	123
PID 2004 wrote to memory of 1640	2004	rutserv.exe	123
PID 2004 wrote to memory of 3120	2004	rutserv.exe	124
PID 2004 wrote to memory of 3120	2004	rutserv.exe	124
PID 2004 wrote to memory of 3120	2004	rutserv.exe	124
PID 1640 wrote to memory of 4764	1640	rfusclient.exe	125
PID 1640 wrote to memory of 4764	1640	rfusclient.exe	125
PID 1640 wrote to memory of 4764	1640	rfusclient.exe	125
PID 2004 wrote to memory of 4808	2004	rutserv.exe	126
PID 2004 wrote to memory of 4808	2004	rutserv.exe	126

C:\Users\Admin\AppData\Local\Temp\discord.exe
"C:\Users\Admin\AppData\Local\Temp\discord.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\xcopy.exe
  "C:\Windows\System32\xcopy.exe" /Y "C:\Users\Admin\AppData\Local\Temp\DiscordSetup\DiscordSetup.rar"
  2⤵
  - Enumerates system info in registry
  PID:3908
- C:\Users\Admin\AppData\Local\Temp\DiscordSetup\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\DiscordSetup\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RMS_{852BA1D1-9A15-46DB-9BB9-7DCE03647FA5}\host.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- C:\Users\Admin\AppData\Local\Temp\DiscordSetup\DiscordSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\DiscordSetup\DiscordSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:1376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 41EDEC0BD5693CC14959D24EAF8C1B83
  2⤵
  - Loads dropped DLL
  PID:1236
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\RMS_{852BA1D1-9A15-46DB-9BB9-7DCE03647FA5}\host.msi"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3920
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -dispinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe" -dispinstall
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:3008
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4408
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "c:\program files (x86)\remote manipulator system - host\monitor\x64\windows10\lockscr.inf" "9" "4351f1d4b" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\remote manipulator system - host\monitor\x64\windows10"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4308
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "DISPLAY\RHT1234\4&27B1E55B&0&UID0" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca116f85e4ac:Driver_DDI:16.10.46.576:*pnp09ff," "4351f1d4b" "000000000000015C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:2952

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4764
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3120
- C:\Windows\system32\dxdiag.exe
  "C:\Windows\system32\dxdiag.exe" /whql:off /x "C:\Windows\Temp\dxdig_{5A53B0DE-6437-49BA-BF0B-1726DACFFAE3}.xml"
  2⤵
  - Registers COM server for autorun
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
58KB

MD5
246286feb0ed55eaf4251e256d2fe47e

SHA1
bc76b013918e4c1bd6dff44708a760496d8c717c

SHA256
64c70065830cc623be55c73a940aa3da57c134ee459afbd983ff17960dc57c27

SHA512
900e670259fb3b5762c0242236ce86fcdd04300407fc4d79959edfed99bbec58b4e10048a2b9ef54e709d00717870bf09c7b5fb2f5fa3cfe844682d2bb36f12f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe

Filesize
335KB

MD5
72076f4aae15dd34c572e8e151c261e6

SHA1
4c9a495e24a3d2d95f89b6b9bf908de3e7b82928

SHA256
588e5a448742a6bbe8536463b072a424ca3e7a88a212d7fa92618b2620826db6

SHA512
7ad67ca63a84b4977b98ad26922154aad798e8518e93a8c57bb5f0803e96252fe6c8646d6dad53dc81abdbed114b16d4e25beeae7050ab835f38b7ece7472572

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Monitor\x64\drvinstaller64.exe

Filesize
335KB

MD5
72076f4aae15dd34c572e8e151c261e6

SHA1
4c9a495e24a3d2d95f89b6b9bf908de3e7b82928

SHA256
588e5a448742a6bbe8536463b072a424ca3e7a88a212d7fa92618b2620826db6

SHA512
7ad67ca63a84b4977b98ad26922154aad798e8518e93a8c57bb5f0803e96252fe6c8646d6dad53dc81abdbed114b16d4e25beeae7050ab835f38b7ece7472572

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
64KB

MD5
55a0b95a1d1b7e309f2c22af82a07cc0

SHA1
521c41e185e5b5e73cfc4e1b18646dc4ed171942

SHA256
704a1a83d11c21717c17e6a7eb264d94a98d45a7c1aba8ebb82fafc65f4f199d

SHA512
38e3a8392f84cd31b9eb12ce4fa7ed04db29f4fe4de95e52f18cdc6e7c74a0b2673d15ab40802bf289ed3a1e83526827b012ceddbb309f40c5302547ce39f5f9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
6.3MB

MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
6.3MB

MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
6.3MB

MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
6.3MB

MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
6.3MB

MD5
cd97f125a6462574065fd1e3854f9d7f

SHA1
fee8a2a4b8e7cd15d69915f2f9d84ccf09f9868f

SHA256
b46f3ae494d9effb0b3cfb4ab6d364ecff8d65f94090344f6526094d067b5df2

SHA512
5f56b22b7d73f2037ca192572cb4e8a35399a2dc62bb7aa5613db59992770e7af356daf6fc012b2ed2da9ab5ad4271c227c93229a512d1a20ee492d2b5459b24

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
12.6MB

MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
12.6MB

MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
12.6MB

MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
12.6MB

MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
12.6MB

MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
12.6MB

MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
12.6MB

MD5
55d66bd554511f803bebead2bd1bfde0

SHA1
34d8176565909b7b756d92a32cd8a50185f998f1

SHA256
decfe9f582f6eed39ade6c5770e4146d4ba9b488b146753d7f652815d25379bd

SHA512
cb66959389ff701b0e56f2c491ced77030755bccd10349a7fb23dac0079eb980f7cc6f2e7ace1f3b4d7d3fbf41f3b440c99331831a3d339569339c6f26efccdc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
380KB

MD5
1ea62293ac757a0c2b64e632f30db636

SHA1
8c8ac6f8f28f432a514c3a43ea50c90daf66bfba

SHA256
970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df

SHA512
857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
1.6MB

MD5
89770647609ac26c1bbd9cf6ed50954e

SHA1
349eed120070bab7e96272697b39e786423ac1d3

SHA256
7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4

SHA512
a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
260KB

MD5
d29f7070ee379544aeb19913621c88e6

SHA1
499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be

SHA256
654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf

SHA512
4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
365KB

MD5
7a9eeac3ceaf7f95f44eb5c57b4db2e3

SHA1
be1048c254aa3114358f76d08c55667c4bf2d382

SHA256
b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88

SHA512
b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
860KB

MD5
5308b9945e348fbe3a480be06885434c

SHA1
5c3cb39686cca3e9586e4b405fc8e1853caaf8ff

SHA256
9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a

SHA512
4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

Download Submit
C:\ProgramData\Remote Manipulator System\install.log

Filesize
607B

MD5
9bb913f1d9d4c40497e8b6eaeb523a4c

SHA1
4cf3ba20136a4819bec3abfbf990fb5f1e4bf2a0

SHA256
271c3e9be884722de00ff7680995f6b4e08ecf6fb3dfcda91b9ce31d92a3f259

SHA512
a511d04b4fcde39a77c32ed158104055d7314b8e831aad7b9b6a12de70b7ee2458d920fb8d7afac28c55c1f6eaca8872442ce0b68e44276322587b5855f3da62

Download Submit
C:\ProgramData\Remote Manipulator System\install.log

Filesize
710B

MD5
ac261514c8ce3dce3b64ebf6f3af5e4c

SHA1
3a9430e1b745d9eda1430d7d008a064010fc417b

SHA256
b3117936f2b34df40a9b5a6bbc8ed1b7ae547bc7dc421c76465086f145b771c6

SHA512
fa7a558f245f8a4ef590f02fee00c65b211b5bdfed6404fc35fba33b74cbed43a9ad572bc0922dd341da0c4501f47f7c1aafa9fe0ae601d0c9320e7a99500aad

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Discord-1.0.9017-full.nupkg

Filesize
90.4MB

MD5
a7290757f7a056fb4c2892fa7919d984

SHA1
0396e5c0a2d6c403573599a21adf71753543e525

SHA256
2ea4855318e884ca1c17936143a535549bb84e09272c383722dd93a05a2b012f

SHA512
4a7a842a34a314346f8e257bb4eeee57b6e066fc8088260c7a15bd4284da2976da2d46c13ac0db7d1e29221bb074072d9ef021e7b4e52d532b4cf798d2f2e080

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
80B

MD5
6ecf7105186a731a7d19d708cde5a9dd

SHA1
67088525f6c653341ed1a57d41a13e526fe61d6f

SHA256
0e23f3ad5a0d4b487a6b1224dfcb869894cc941ff3f4c9d0f2b4dd304bd84109

SHA512
fea1ae5fd846a44351682b8b8976e0f1c97f1f0d767535d61132ffef08ee04668b9b36fd09c76619c5b7f560bafa3bc12dbc952e47c764d9669945bd777e3f14

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
13211a1abcd316d5950863db10883cc7

SHA1
cd2cb79376bab12d1cb6cc944c819e8192c2894e

SHA256
33b3abb5cc896f1803066bd28cbeb86cf42c03d82518b22358f41d637e08979b

SHA512
b022c61111d2dbea609b16c4584c08a0f93bba1fb1de54640652f94c20d87783df280e3a2f15f3fb4bc79bcc530738c8bcc97ac7dad63fd00a47caa992f24021

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
13211a1abcd316d5950863db10883cc7

SHA1
cd2cb79376bab12d1cb6cc944c819e8192c2894e

SHA256
33b3abb5cc896f1803066bd28cbeb86cf42c03d82518b22358f41d637e08979b

SHA512
b022c61111d2dbea609b16c4584c08a0f93bba1fb1de54640652f94c20d87783df280e3a2f15f3fb4bc79bcc530738c8bcc97ac7dad63fd00a47caa992f24021

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiscordSetup\Discord.exe

Filesize
17.2MB

MD5
54373b0f78368991613b2de88c88e031

SHA1
101a9b7c1d718b4736022a1512339b19595a1249

SHA256
3c77c16ee21ff2f584b1eb5df4882976a934d50d1d4e0886b98bf4d33fe1dccc

SHA512
7f35b5aa86a86a986888134230f1e2ce3d77fde1123c714b3f72bcde1272d3fa1dcc05406dca9c5cd25f807f92976d0d77016f9fbdca7017412b4f09ecde0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiscordSetup\Discord.exe

Filesize
17.2MB

MD5
54373b0f78368991613b2de88c88e031

SHA1
101a9b7c1d718b4736022a1512339b19595a1249

SHA256
3c77c16ee21ff2f584b1eb5df4882976a934d50d1d4e0886b98bf4d33fe1dccc

SHA512
7f35b5aa86a86a986888134230f1e2ce3d77fde1123c714b3f72bcde1272d3fa1dcc05406dca9c5cd25f807f92976d0d77016f9fbdca7017412b4f09ecde0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiscordSetup\Discord.exe

Filesize
17.2MB

MD5
54373b0f78368991613b2de88c88e031

SHA1
101a9b7c1d718b4736022a1512339b19595a1249

SHA256
3c77c16ee21ff2f584b1eb5df4882976a934d50d1d4e0886b98bf4d33fe1dccc

SHA512
7f35b5aa86a86a986888134230f1e2ce3d77fde1123c714b3f72bcde1272d3fa1dcc05406dca9c5cd25f807f92976d0d77016f9fbdca7017412b4f09ecde0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiscordSetup\DiscordSetup.exe

Filesize
91.3MB

MD5
8b004a14720766c0a8d72b32120e8659

SHA1
928ed1f321dc7e092fc8c3a097b812028c3cbd52

SHA256
a774a6d44916e60cb7a8f5c4dc8ae9dbb27162847a54b608149844419a58b331

SHA512
cb257eb2a1cf690d1600f5b7d5502fda5d72da586f1e5b2618969a14167fcca130c4212330d0061b8c97e6336725864ff316a1dfccc20bb59ca89cadb44e6d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiscordSetup\DiscordSetup.exe

Filesize
91.3MB

MD5
8b004a14720766c0a8d72b32120e8659

SHA1
928ed1f321dc7e092fc8c3a097b812028c3cbd52

SHA256
a774a6d44916e60cb7a8f5c4dc8ae9dbb27162847a54b608149844419a58b331

SHA512
cb257eb2a1cf690d1600f5b7d5502fda5d72da586f1e5b2618969a14167fcca130c4212330d0061b8c97e6336725864ff316a1dfccc20bb59ca89cadb44e6d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiscordSetup\DiscordSetup.exe

Filesize
91.3MB

MD5
8b004a14720766c0a8d72b32120e8659

SHA1
928ed1f321dc7e092fc8c3a097b812028c3cbd52

SHA256
a774a6d44916e60cb7a8f5c4dc8ae9dbb27162847a54b608149844419a58b331

SHA512
cb257eb2a1cf690d1600f5b7d5502fda5d72da586f1e5b2618969a14167fcca130c4212330d0061b8c97e6336725864ff316a1dfccc20bb59ca89cadb44e6d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMS_{852BA1D1-9A15-46DB-9BB9-7DCE03647FA5}\host.msi

Filesize
17.4MB

MD5
bac7724f2bb43c352494c77bc99d3e5c

SHA1
f440a950e53adad76238db2e084374fc74a5711b

SHA256
a5a34195a4db94f212535d5182a044d74fe67b31a3e50d7d26148e6d1a103793

SHA512
1e7e85915293db5c9ee9dc27604d1f9c83ad66aec28aa82544d29f2ee4ffca72349c0b828a17fe1b08fab206b3695ce7072227ded23bb315db6f663e93427b1d

Download Submit
C:\Windows\INF\oem3.inf

Filesize
1KB

MD5
49ad0d7c46ac85407b40701d0d205aa8

SHA1
d1a359d7aacfa04424bdda9ba49c81eb248799e3

SHA256
ca1ff261a0884cb5e9203ef6e2ccc67be6bad06c8af705cb2a17d717ecd6207a

SHA512
4fffa5ad19c2d4f29ff410f00fbed2f411e93a4941cd2c17deafb62cf08b2ddd18af7a6b88e8ba28524bc4ca05cea432c873058d93dcb24cabaf1f1bdc0c469d

Download Submit
C:\Windows\Installer\MSID9A7.tmp

Filesize
153KB

MD5
52185b209cfdb02d88b4a40a4bdf0911

SHA1
aa35fedfeefbee93bcca5a30feed8d240e2d1c95

SHA256
756543551f27e9450dcf0ffdd10cd44af6fd0e8dbca037dee5b575683d5a9492

SHA512
8493e1996b6038bcb49fbce539c8ec8d6b8f86cf5aff4dc9870f66d77f179ae06e0539e06046a03a64a3e29c6b3693b83bf4c5a3d7dae2f989d1e8320d963cb3

Download Submit
C:\Windows\Installer\MSID9A7.tmp

Filesize
153KB

MD5
52185b209cfdb02d88b4a40a4bdf0911

SHA1
aa35fedfeefbee93bcca5a30feed8d240e2d1c95

SHA256
756543551f27e9450dcf0ffdd10cd44af6fd0e8dbca037dee5b575683d5a9492

SHA512
8493e1996b6038bcb49fbce539c8ec8d6b8f86cf5aff4dc9870f66d77f179ae06e0539e06046a03a64a3e29c6b3693b83bf4c5a3d7dae2f989d1e8320d963cb3

Download Submit
C:\Windows\Installer\e57d2c1.msi

Filesize
17.4MB

MD5
bac7724f2bb43c352494c77bc99d3e5c

SHA1
f440a950e53adad76238db2e084374fc74a5711b

SHA256
a5a34195a4db94f212535d5182a044d74fe67b31a3e50d7d26148e6d1a103793

SHA512
1e7e85915293db5c9ee9dc27604d1f9c83ad66aec28aa82544d29f2ee4ffca72349c0b828a17fe1b08fab206b3695ce7072227ded23bb315db6f663e93427b1d

Download Submit
C:\Windows\System32\DriverStore\FileRepository\LOCKSC~1.INF\lockscr.sys

Filesize
23KB

MD5
32870cbf933826df5160b176b54293e6

SHA1
367afde56b570dc5cb0ea9387749fe793a4ababd

SHA256
486ddc8e9aa5b4e5cd166c5b326edfd682554c10ff0f31eb2feaaa2e479f5389

SHA512
8405045707a4d6a17004c904aa5d6ecc448cadcd339bf8f7acea2fa91d29b02378ec158321c3e8450a958345ba96ed385a19e19fd15189fa2c15dd5a5d1ae682

Download Submit
C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF

Filesize
7KB

MD5
dcb15b6ad5765f944150a5f833a75b83

SHA1
86682db550337e1b732db975212db25f858ae480

SHA256
b6047a6f44704b0fa49857dd15c56138216f6d86c86516b987ad99b72442f053

SHA512
9e7480aeb85a072ed5731bea253c44c26ba9438c03c4e1c434bd72f5f58edd86697889b398ce015f8ab762ec41cbf4017427001743274cb7bf128c7341a297ec

Download Submit
C:\Windows\System32\DriverStore\FileRepository\lockscr.inf_amd64_b5060323c4b9d7cd\lockscr.inf

Filesize
1KB

MD5
49ad0d7c46ac85407b40701d0d205aa8

SHA1
d1a359d7aacfa04424bdda9ba49c81eb248799e3

SHA256
ca1ff261a0884cb5e9203ef6e2ccc67be6bad06c8af705cb2a17d717ecd6207a

SHA512
4fffa5ad19c2d4f29ff410f00fbed2f411e93a4941cd2c17deafb62cf08b2ddd18af7a6b88e8ba28524bc4ca05cea432c873058d93dcb24cabaf1f1bdc0c469d

Download Submit
C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF

Filesize
150KB

MD5
eb6e121e3a6b37c1d9929f73b1d17c7b

SHA1
2bb9588477a562deb38754d0cfb95d2709c7a0e6

SHA256
807c1010b7107e440bbfb952e20df74b35e5365d24a9372afa18e90c62caf96b

SHA512
d44be3736d64bac3a8fa8084ef3f372cc2566859316c65dc62858241897d127d63c259627ce808099442748113c2912c851ae147bd0d2065c043e04baf369847

Download Submit
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF

Filesize
64KB

MD5
0f6d7f0d5972d16d758f82491a2c61aa

SHA1
db271146852d1f711ff7b65c2b3b6eb127c20e7a

SHA256
6a9de35c129df4b249e15562125c8d44ff45a33286654ce12cc708dc85a51102

SHA512
44ad280df25606885153d034fa7487d0e3d5349c261274a89fc5cc7ccfc271b3cee17136c47c1524b7084bf20b3459b2db8c7e75e02a45d22dfa256efe5e66ce

Download Submit
C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF

Filesize
89KB

MD5
13062b8e4971dd0981a6ea446a250dbb

SHA1
25690ae72798f384d267916e95587d504533500a

SHA256
667b24b0c14196309d4acd4b4e26bbbacd4185e3ed85805b3b592df484b1f9c4

SHA512
738122c9a689b454957826f929db49b8a7287f1ca7336cfe432f0b455f459cc0ee1126f43da9adee81f389b87ddcbb753ecec5b5ee63ad8ca2ab236aa29b2255

Download Submit
C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF

Filesize
131KB

MD5
be157a6e5dc5a83707623b15c9072fca

SHA1
e136e985df62e15d3f21d6f435ccc7070dcd22f2

SHA256
df230b964d4cbaddb4b8bd3933bca9b456e16240ea7ad0c10100b9a7d2a45ba9

SHA512
978f973b0989a9e4322ca63509ff54b8edc2e2fa0a0f2b84fca4cee381b29dce1b4b032c73399370b7b167822c43b07598450c5df7f8fda1cfc8f31f9a7d7b09

Download Submit
C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\lockscr.cat

Filesize
10KB

MD5
12a7f47c90e918b41ce04c9bcb51359a

SHA1
33aed70fa4741248d38f9470bab68fc67feb970c

SHA256
4e7afd7f1ee3926742d10502879576e3dfe132c558c9c3c833df715a49fa2f3a

SHA512
32620cdc862beb166aecd3622457c311b28bf447c1fe83bf546aa507bf2cf6a1911da881d6c4e655df7d38617a67c535af7e36ac1021ada9b97e0b6623a48733

Download Submit
C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\lockscr.inf

Filesize
1KB

MD5
49ad0d7c46ac85407b40701d0d205aa8

SHA1
d1a359d7aacfa04424bdda9ba49c81eb248799e3

SHA256
ca1ff261a0884cb5e9203ef6e2ccc67be6bad06c8af705cb2a17d717ecd6207a

SHA512
4fffa5ad19c2d4f29ff410f00fbed2f411e93a4941cd2c17deafb62cf08b2ddd18af7a6b88e8ba28524bc4ca05cea432c873058d93dcb24cabaf1f1bdc0c469d

Download Submit
C:\Windows\System32\DriverStore\Temp\{651fb3f1-2a94-2741-87ce-2ad743227191}\lockscr.sys

Filesize
23KB

MD5
32870cbf933826df5160b176b54293e6

SHA1
367afde56b570dc5cb0ea9387749fe793a4ababd

SHA256
486ddc8e9aa5b4e5cd166c5b326edfd682554c10ff0f31eb2feaaa2e479f5389

SHA512
8405045707a4d6a17004c904aa5d6ecc448cadcd339bf8f7acea2fa91d29b02378ec158321c3e8450a958345ba96ed385a19e19fd15189fa2c15dd5a5d1ae682

Download Submit
C:\Windows\Temp\dxdig_{5A53B0DE-6437-49BA-BF0B-1726DACFFAE3}.xml

Filesize
68KB

MD5
38cc0c3eca4d835b36bcc2cbf365bc7b

SHA1
a11d345d7e6462ffe983a7c193c66639bba79206

SHA256
4d0b8e193ee75a0d925a11f73ada70216b4cf299f9730beb43d8182f926ea63c

SHA512
90bfdfb381081b7fc09ecd6f4c3469b0496618bea4a5c2329997a2fd28c4a6ef1efd80daabd32023ba380e42cdaf27c607e202ef49d483e916bd6e0996ba362a

Download Submit
\??\c:\PROGRA~2\REMOTE~1\monitor\x64\WINDOW~1\lockscr.sys

Filesize
23KB

MD5
32870cbf933826df5160b176b54293e6

SHA1
367afde56b570dc5cb0ea9387749fe793a4ababd

SHA256
486ddc8e9aa5b4e5cd166c5b326edfd682554c10ff0f31eb2feaaa2e479f5389

SHA512
8405045707a4d6a17004c904aa5d6ecc448cadcd339bf8f7acea2fa91d29b02378ec158321c3e8450a958345ba96ed385a19e19fd15189fa2c15dd5a5d1ae682

Download Submit
\??\c:\program files (x86)\remote manipulator system - host\monitor\x64\windows10\lockscr.cat

Filesize
10KB

MD5
12a7f47c90e918b41ce04c9bcb51359a

SHA1
33aed70fa4741248d38f9470bab68fc67feb970c

SHA256
4e7afd7f1ee3926742d10502879576e3dfe132c558c9c3c833df715a49fa2f3a

SHA512
32620cdc862beb166aecd3622457c311b28bf447c1fe83bf546aa507bf2cf6a1911da881d6c4e655df7d38617a67c535af7e36ac1021ada9b97e0b6623a48733

Download Submit
\??\c:\program files (x86)\remote manipulator system - host\monitor\x64\windows10\lockscr.inf

Filesize
1KB

MD5
49ad0d7c46ac85407b40701d0d205aa8

SHA1
d1a359d7aacfa04424bdda9ba49c81eb248799e3

SHA256
ca1ff261a0884cb5e9203ef6e2ccc67be6bad06c8af705cb2a17d717ecd6207a

SHA512
4fffa5ad19c2d4f29ff410f00fbed2f411e93a4941cd2c17deafb62cf08b2ddd18af7a6b88e8ba28524bc4ca05cea432c873058d93dcb24cabaf1f1bdc0c469d

Download Submit
memory/1376-337-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1376-169-0x0000000073410000-0x0000000073BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-76-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1376-42-0x0000000073410000-0x0000000073BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1376-187-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1376-75-0x00000000077C0000-0x00000000077C8000-memory.dmp

Filesize
32KB

Download
memory/1376-78-0x00000000059D0000-0x00000000059DE000-memory.dmp

Filesize
56KB

Download
memory/1376-77-0x0000000006120000-0x0000000006158000-memory.dmp

Filesize
224KB

Download
memory/1376-43-0x00000000005D0000-0x0000000000746000-memory.dmp

Filesize
1.5MB

Download
memory/1376-48-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1376-341-0x0000000073410000-0x0000000073BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1640-468-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1640-446-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1640-470-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/1740-176-0x0000000001780000-0x0000000001781000-memory.dmp

Filesize
4KB

Download
memory/1740-200-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-574-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-570-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-429-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/2004-578-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-516-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-582-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-460-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-462-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/2004-483-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-479-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-566-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/2004-474-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/3008-400-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3120-467-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3120-485-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/3120-472-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/3120-476-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/3120-560-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/3120-481-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/3120-447-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3660-21-0x0000000000400000-0x000000000283E000-memory.dmp

Filesize
36.2MB

Download
memory/3660-22-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3660-427-0x0000000000400000-0x000000000283E000-memory.dmp

Filesize
36.2MB

Download
memory/3660-61-0x0000000000400000-0x000000000283E000-memory.dmp

Filesize
36.2MB

Download
memory/3920-168-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/3920-166-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4408-406-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/4408-407-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/4688-421-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/4688-445-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/4716-336-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/4716-401-0x0000000000400000-0x0000000001140000-memory.dmp

Filesize
13.2MB

Download
memory/4764-463-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4764-464-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/4808-492-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-502-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-500-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-501-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-498-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-499-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-496-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-497-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-490-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download
memory/4808-491-0x000001C625640000-0x000001C625641000-memory.dmp

Filesize
4KB

Download