rms | fb48076d93e8705240d11e770cb928e79c4514cc4336e17bc845af33fedeb810

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2023 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rms.host6.3ru.msi
Size

7.6MB
MD5

4dc446d219e73f5218ad16b0f2c633d4
SHA1

0a4e6de0272180db99a6ad04a74da2ba129ea873
SHA256

fb48076d93e8705240d11e770cb928e79c4514cc4336e17bc845af33fedeb810
SHA512

8768ba91e9ff5f0b8dbab1977876d1058824d2f07b58184fcab8a76c60db210b459bd32a04e038a6fec8946c5021eef214c90289ca1af94a27069365311cc9b4
SSDEEP

196608:vw5w5SwnqgSGGmDW7dgf/668YsAtDyL4:4GwwnqLiDU+fS2

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rfusclient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 9 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exerutserv.exe

pid	Process
3048	rutserv.exe
4476	rutserv.exe
2776	rutserv.exe
4236	rutserv.exe
1632	rutserv.exe
2480	rfusclient.exe
4432	rfusclient.exe
3588	rfusclient.exe
1864	rutserv.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid	Process
3800	MsiExec.exe

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow	pid	Process
11	5104	msiexec.exe
14	5104	msiexec.exe
20	5104	msiexec.exe
24	5104	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 3 IoCs

Processes:

rutserv.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Drops file in Program Files directory 56 IoCs

Processes:

msiexec.exerutserv.exerutserv.exe

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2023-12.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.pdb	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2023-12.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\e592f92.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI357D.tmp	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\e592f94.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e592f92.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9B149A31-6736-4195-8F11-4FDCF6D84DE1}	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\PackageName = "rms.host6.3ru.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Version = "116129792"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\13A941B963765914F811F4CD6F8DD41E\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\PackageCode = "60173EDF5317FBC43924C4F0466FEE4B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Language = "1049"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\ProductIcon = "C:\\Windows\\Installer\\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\AuthorizedLUAApp = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msiexec.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerutserv.exe

pid	Process
772	msiexec.exe
772	msiexec.exe
3048	rutserv.exe
3048	rutserv.exe
3048	rutserv.exe
3048	rutserv.exe
3048	rutserv.exe
3048	rutserv.exe
4476	rutserv.exe
4476	rutserv.exe
2776	rutserv.exe
2776	rutserv.exe
4236	rutserv.exe
4236	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
1632	rutserv.exe
2480	rfusclient.exe
2480	rfusclient.exe
1864	rutserv.exe
1864	rutserv.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid	Process
3588	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	5104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5104	msiexec.exe
Token: SeSecurityPrivilege	772	msiexec.exe
Token: SeCreateTokenPrivilege	5104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5104	msiexec.exe
Token: SeLockMemoryPrivilege	5104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5104	msiexec.exe
Token: SeMachineAccountPrivilege	5104	msiexec.exe
Token: SeTcbPrivilege	5104	msiexec.exe
Token: SeSecurityPrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeLoadDriverPrivilege	5104	msiexec.exe
Token: SeSystemProfilePrivilege	5104	msiexec.exe
Token: SeSystemtimePrivilege	5104	msiexec.exe
Token: SeProfSingleProcessPrivilege	5104	msiexec.exe
Token: SeIncBasePriorityPrivilege	5104	msiexec.exe
Token: SeCreatePagefilePrivilege	5104	msiexec.exe
Token: SeCreatePermanentPrivilege	5104	msiexec.exe
Token: SeBackupPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeShutdownPrivilege	5104	msiexec.exe
Token: SeDebugPrivilege	5104	msiexec.exe
Token: SeAuditPrivilege	5104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5104	msiexec.exe
Token: SeChangeNotifyPrivilege	5104	msiexec.exe
Token: SeRemoteShutdownPrivilege	5104	msiexec.exe
Token: SeUndockPrivilege	5104	msiexec.exe
Token: SeSyncAgentPrivilege	5104	msiexec.exe
Token: SeEnableDelegationPrivilege	5104	msiexec.exe
Token: SeManageVolumePrivilege	5104	msiexec.exe
Token: SeImpersonatePrivilege	5104	msiexec.exe
Token: SeCreateGlobalPrivilege	5104	msiexec.exe
Token: SeCreateTokenPrivilege	5104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5104	msiexec.exe
Token: SeLockMemoryPrivilege	5104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5104	msiexec.exe
Token: SeMachineAccountPrivilege	5104	msiexec.exe
Token: SeTcbPrivilege	5104	msiexec.exe
Token: SeSecurityPrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeLoadDriverPrivilege	5104	msiexec.exe
Token: SeSystemProfilePrivilege	5104	msiexec.exe
Token: SeSystemtimePrivilege	5104	msiexec.exe
Token: SeProfSingleProcessPrivilege	5104	msiexec.exe
Token: SeIncBasePriorityPrivilege	5104	msiexec.exe
Token: SeCreatePagefilePrivilege	5104	msiexec.exe
Token: SeCreatePermanentPrivilege	5104	msiexec.exe
Token: SeBackupPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeShutdownPrivilege	5104	msiexec.exe
Token: SeDebugPrivilege	5104	msiexec.exe
Token: SeAuditPrivilege	5104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5104	msiexec.exe
Token: SeChangeNotifyPrivilege	5104	msiexec.exe
Token: SeRemoteShutdownPrivilege	5104	msiexec.exe
Token: SeUndockPrivilege	5104	msiexec.exe
Token: SeSyncAgentPrivilege	5104	msiexec.exe
Token: SeEnableDelegationPrivilege	5104	msiexec.exe
Token: SeManageVolumePrivilege	5104	msiexec.exe
Token: SeImpersonatePrivilege	5104	msiexec.exe
Token: SeCreateGlobalPrivilege	5104	msiexec.exe
Token: SeCreateTokenPrivilege	5104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5104	msiexec.exe
Token: SeLockMemoryPrivilege	5104	msiexec.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

msiexec.exerfusclient.exerutserv.exe

pid	Process
5104	msiexec.exe
5104	msiexec.exe
4432	rfusclient.exe
4432	rfusclient.exe
5104	msiexec.exe
4432	rfusclient.exe
4432	rfusclient.exe
1864	rutserv.exe
1864	rutserv.exe
4432	rfusclient.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

rfusclient.exe

pid	Process
4432	rfusclient.exe
4432	rfusclient.exe
4432	rfusclient.exe
4432	rfusclient.exe
4432	rfusclient.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	Process
3048	rutserv.exe
4476	rutserv.exe
2776	rutserv.exe
4236	rutserv.exe
1632	rutserv.exe
1864	rutserv.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

msiexec.exerutserv.exerfusclient.exerfusclient.exe

description	pid	Process	procid_target
PID 772 wrote to memory of 3800	772	msiexec.exe	95
PID 772 wrote to memory of 3800	772	msiexec.exe	95
PID 772 wrote to memory of 3800	772	msiexec.exe	95
PID 772 wrote to memory of 2640	772	msiexec.exe	103
PID 772 wrote to memory of 2640	772	msiexec.exe	103
PID 772 wrote to memory of 3048	772	msiexec.exe	106
PID 772 wrote to memory of 3048	772	msiexec.exe	106
PID 772 wrote to memory of 3048	772	msiexec.exe	106
PID 772 wrote to memory of 4476	772	msiexec.exe	107
PID 772 wrote to memory of 4476	772	msiexec.exe	107
PID 772 wrote to memory of 4476	772	msiexec.exe	107
PID 772 wrote to memory of 2776	772	msiexec.exe	109
PID 772 wrote to memory of 2776	772	msiexec.exe	109
PID 772 wrote to memory of 2776	772	msiexec.exe	109
PID 772 wrote to memory of 4236	772	msiexec.exe	108
PID 772 wrote to memory of 4236	772	msiexec.exe	108
PID 772 wrote to memory of 4236	772	msiexec.exe	108
PID 1632 wrote to memory of 4432	1632	rutserv.exe	112
PID 1632 wrote to memory of 4432	1632	rutserv.exe	112
PID 1632 wrote to memory of 4432	1632	rutserv.exe	112
PID 1632 wrote to memory of 2480	1632	rutserv.exe	113
PID 1632 wrote to memory of 2480	1632	rutserv.exe	113
PID 1632 wrote to memory of 2480	1632	rutserv.exe	113
PID 2480 wrote to memory of 3588	2480	rfusclient.exe	114
PID 2480 wrote to memory of 3588	2480	rfusclient.exe	114
PID 2480 wrote to memory of 3588	2480	rfusclient.exe	114
PID 4432 wrote to memory of 1864	4432	rfusclient.exe	116
PID 4432 wrote to memory of 1864	4432	rfusclient.exe	116
PID 4432 wrote to memory of 1864	4432	rfusclient.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\rms.host6.3ru.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 080C360BE8F37067FAB3F93DDC0E337E C
  2⤵
  - Loads dropped DLL
  PID:3800
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2640
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4476
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4236
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /CONFIG /SETSECURITY
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1860

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /config
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1864
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e592f93.rbs

Filesize
15KB

MD5
b02329fa9baeb330049027302528dd1f

SHA1
691cf84b2b5e3c85c88a41a2d9d1eb210bae951f

SHA256
03cd3e6485cbdba4b2aa59dcceb67250d91da5f0bad2005a9b6cd413de3a4ad3

SHA512
2ca39a852cf7c78a86f40704b48eedc2bede038f0adaf67ce484037989c52ab891e9206db17143f102a7bb034efcc80fb91b1a37839f604d0b371586f20628d5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
500b5d9c3c0ff50c9bafdccb8ee049bc

SHA1
fce3d53df1dff631e69af83420b4bf8b1c632972

SHA256
c0a5b0f80e85c2e2078feca245bfc78518988b059ea711f65b5060d4f3471838

SHA512
a624bfd524d44365a583a1ea860fcbde4188a3731e026ba23a3118857461bf8298e90ef51a23f438f9241cc5a2c5c472f47c75c8e312eb68664680c9feefbfb9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
976KB

MD5
eba6316a7d073079954d638b335d9165

SHA1
4b75e9ae790f51077850b1da60136a182fc06425

SHA256
00e0bffd66abca71e488aa52d2672fd90d17eb25a162e3f7af46856faed2e742

SHA512
65159606e8f771edf6fb56efa6c660a173456662e8d0e92bbefde765666be685766dd9e7aa8cf8f4c0a0de741392be6a711bee9f215042d715af85bcbe4f2f6a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
2.5MB

MD5
6a5588bc2aa3707d9aceeaf414d3dc27

SHA1
7441b755d33f1c6e38770b73aa650d7c350a30c5

SHA256
d52e3c98865d1854d4fa652dd41ca52709926beb6401657b55d846b7c9783d24

SHA512
ff46dccf1ee83c1b53ee2d8da76c678e360057f00f23797862ba8ccdbf4fcb5b12f8fb1caafa8fe827d23b9dfad9d22d0105ddfd288b95b9ac0a9adcdd6a7cdf

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
4.0MB

MD5
b6a9e3735f52a4ae2fe06cfc5df2f5fb

SHA1
c82283b84bfc368f061e959d343e59ae77896e4f

SHA256
2d0d25bbddbaf95d44f09d7263733286f7794d734f35e3e3d8f693180b95ec44

SHA512
5282b55ef5852c66e3919164eb6af171a41c62fffdb4af878b8b16ad754f319fdcdf37aec0209e3ddd24164e173d08cc375db32c87e5d4071a18da33f8a49e30

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
5.1MB

MD5
e3c15e4d44c2b546d640b5808a9a2818

SHA1
090f6f75558614f19b970df39ebe1a87185f5a0c

SHA256
b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219

SHA512
c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
6.0MB

MD5
8f6e38cc55206473121c8bf63fcbcf2d

SHA1
35504ce4bc1cea9e737a3be108cd428ab2251e1d

SHA256
fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57

SHA512
083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
768KB

MD5
3fb278f38e79542984eeba237fb2ba87

SHA1
aabfca7387228a6a792240c374eb2e39bdb51277

SHA256
e08c6a84d5f00ef09d52adab320f7df9f678a8f3822f597cbec6c09619825b61

SHA512
16389c48a2a188292540e525f727a4aecb66cf3a74bdc20cb8138deab4914b39b411bfe008882088e27828f7bed5bcb3c145d8d98bd93cdc7e168732ffc1ad97

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
2.7MB

MD5
1d34696f2d2c33cd11a8622f1456a792

SHA1
570bc33b50e7726c1153ef9f8fcc3a28f18c2349

SHA256
e9ab3cc0526a347035a93e99251ccaaa542b30fc8dd3fb1806417501489e5c12

SHA512
d90bdc19c85b99f97ffbdfb76e30292878b70bd9e0ce30936c10667610e8f752cdd78b090ad9ce7f8133486fe2ede5e2f915f58b734f555610543ae9245cbb92

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
320KB

MD5
31ceae32b3c71dbd1361103347285424

SHA1
2c6846a2f208d3c4a6eae11baa61f94a17cec7b7

SHA256
dd7870429393258b0d37565d9f1a55bc7de5cb18dd92b39166d89a65c3723571

SHA512
31c1cb5d11451b58dcb040228444de0f4bd3a20aafd42da321768e96372204dd24602ab3fb07b8d8ce9462d1a13fce6acf69d4a62692d55ff053daaa24468d99

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.3MB

MD5
66de2866bfbfb6490196d3c7e92cc234

SHA1
c15cf341ff2e58b6f8409fc753c8beba192ed8a0

SHA256
6cc34f8aaeba871fc6bbfafd2b99d1c60f8f5e37c3ff8076ffd43145682e45fd

SHA512
2794833ff3a0eb707ae8b156fafd9149e75a65699960820b3add877293fe3573f2d27695f09e6cc09ed47fe9c92159f934ff696a999a7d548445582831935336

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
258KB

MD5
9581f7064028a782182e8a4411e9afa5

SHA1
9356d9f62fc38a1150c3cad556b2a531cd7d430b

SHA256
320a23db8d34bd2628078903d4496d4b9320d50c13d11283f77a8c3b9ec36698

SHA512
01c5a711bd0d7cea5cae906c163b7a98c3b09b8ce5a5b52f096d806e20d7f28fe3e174eb6ba8ff630b870b1cea3d9d72905227a989d70e312d79b55644e6442c

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
363KB

MD5
ec59d88c3ebda7c2ce36dcdbe4c67e5b

SHA1
8b01a5730ebda5729a57d97abec1de00c7cf0218

SHA256
54b661f2d55f5cafccd7aca334efb89e908b3f19e3e35c9aa661221b31ec60e3

SHA512
46963b390affcb1f6e5d42ae4f4a67a453d9048e8f8b825bb543a1c2031f1ece07d2f295d30eff51a6624bf096e0d10f8ba8d6516b28e63926f214eb7d7e5b84

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
858KB

MD5
12eba58e4c0450ccb2d9fdce22255d09

SHA1
1f88ce0834e0bcf0f61ed0557204ef05dd577b1e

SHA256
c80464f71b46411b01962b6095acd6eb2ed09ad8d6eb0a67840826a6297823b2

SHA512
08f999aeb55968de3dacb560a25174e5a1c29eb2ea95a6fc8f770c10369263e2f8cea525f93c89a0e03954ff1221b4486641fc9a892d53a8857e9cf441ec05d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
604B

MD5
a8c8eb8bf71ea727e35148b09b26fec7

SHA1
f4ab4a15766b9d1e7253ecbb20973af8affbdb7c

SHA256
21c9949032173647ca9cd7fd03822577e2eaeefa0954974f9dd8a9d7ed4c0e13

SHA512
dc04414bf8dd78dafef8d5582ced4c8ab9e466354c03ddaa3014c1400934692a4dbabbf6200616e5364b4a69ce4192f283852a126c1e938a1705cd005d0c6d55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_6CEEC40E9BD29E4D838ABF9429DCF94C

Filesize
1KB

MD5
6d693ab6367aa9972f1b610f303b5583

SHA1
a35b0d21048534e781ff2636134b668ec05fa9ff

SHA256
939fa9d9098d2399260dc1c90bcd7092f6359383a7e3a39a11abcdd3cac81b72

SHA512
eb0d6ffa0e6471c7a515ad78e220926b9f05ee73f54ba85e959c1e5fb1e933df6ac574ae553b6cf97ad916677845b8b26eaab6bf9acdb33ce5a998af187164eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
394B

MD5
8e8765e9439f6802a026542af91e9fac

SHA1
3a7b6b767d64dd3aee390ac2d38b09fad0c9bf2d

SHA256
65553d1aa540cc7ea808ed044bc8f0ccf06ee8acc9534dbeaa24d604cd3eef59

SHA512
9ef4a04d287999cb39022a185197d5955fb4d83fe879a39286b4f45d082f784f8d11e45489a95266aa7a6e1c2c33441d794549b0979aabff1121b8ce0f55d965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
184B

MD5
ba6c986832b9da28bfdf3cfd60801234

SHA1
3d4a53618660f4fc4d0dec626e70ac30a708842f

SHA256
f1a8926e398e4990a0a48f20c4f1c7efe79653c6fbf2f853f676b13af0b13cf5

SHA512
0ba16679117053eb90528a95a6292935f473f495cf5efca60870496a5e55a9d8e28253d9088f012c4456eb4715885297e7b9b6c7831689151a37696c2865326d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_6CEEC40E9BD29E4D838ABF9429DCF94C

Filesize
402B

MD5
0c423c47275df5e03fb0554c34962ff3

SHA1
e683e9e9178113a1f15c4a0eafd342189a5f15c3

SHA256
4e9795ae290c52c6352ce443a0c4c1a17e23d2dd835d48deb2015b05831ed708

SHA512
38caa8fd45fbf9883224419708ab961a456bef14d03ad8ab29ccfcbcc0f4934f5dbfacd0be12335d9054d85a0c0fe205cd9375414bd70bd51bc702a9d86105a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI27C.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\e592f92.msi

Filesize
3.9MB

MD5
753f540612e86c3690ac7395d7701b15

SHA1
031b017906fe52ccc17e8dae07bfe5ad7c3c4d87

SHA256
63a6fede6a328ca95e56c0fb87c531fc18e2972cc215a15572e2a591ba6f9e3d

SHA512
01010da7ec90bfaafa8b00c059bf1c967f8f7ecaf518a93f211ebb5ae3920ba9ae44d8f19b9545c76448df50185983df1d91c07ec6d708e1ad3f421ecba36db0

Download Submit
C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
19.5MB

MD5
95951ba77b7d232f99b3be52f0baca4e

SHA1
e3a3628147bb073b3ee4b41dcfb308d1e05251bc

SHA256
67b27a29fb23b0f012a819496e9215f8dd786a80310e98994abbe501453f012e

SHA512
a59328dbea8b6451d2345b3cb9cdef01bc79186091d3636ecdf641864ec0f43a2e3438fcc444c4bfca703db97bb31f2800da4ba58afd45dde13fe201e04460fb

Download Submit
\??\Volume{57af6234-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c22d794e-a761-4027-aa5a-5f1ec4d6051d}_OnDiskSnapshotProp

Filesize
6KB

MD5
f30ca9960663761608b3950d3f1575ae

SHA1
4c56d81ee3f3810775c37001a9165cbb0924a6a9

SHA256
4587b62ac42a224c0ce3eb1755e4d76932611d8f8779ee633136059c491cf945

SHA512
e96d05e5d3443d74fad55bccc8f894941c610173dfc7782a2fb12c68ca79cf64a1f01ca02dff7ce1be3f5798c8a8560f215869fa95d392c152f9d3d8ab41793a

Download Submit
memory/1632-126-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/1632-176-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1632-187-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1632-167-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/1632-150-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1864-185-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1864-190-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2480-168-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2480-141-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2480-151-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2776-153-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2776-123-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2776-147-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3048-116-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/3048-117-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3588-148-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3588-149-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4236-140-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4236-124-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4432-142-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/4432-177-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/4432-180-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4432-166-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4432-189-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4432-152-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4476-120-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4476-119-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download