rms | fb48076d93e8705240d11e770cb928e79c4514cc4336e17bc845af33fedeb810

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-12-2023 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rms.host6.3ru.msi
Size

7.6MB
MD5

4dc446d219e73f5218ad16b0f2c633d4
SHA1

0a4e6de0272180db99a6ad04a74da2ba129ea873
SHA256

fb48076d93e8705240d11e770cb928e79c4514cc4336e17bc845af33fedeb810
SHA512

8768ba91e9ff5f0b8dbab1977876d1058824d2f07b58184fcab8a76c60db210b459bd32a04e038a6fec8946c5021eef214c90289ca1af94a27069365311cc9b4
SSDEEP

196608:vw5w5SwnqgSGGmDW7dgf/668YsAtDyL4:4GwwnqLiDU+fS2

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Registers new Print Monitor 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\rmsm\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\rmsm	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\rmsm\Driver = "rmspm.dll"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\rmsm\Ports\rms	spoolsv.exe

Executes dropped EXE 16 IoCs

Processes:

rutserv.exerutserv.exerutserv.exesrvinst_x64.exesrvinst_x64.exesetupdrv.exesetupdrv.exesrvinst_x64.exeVPDAgent_x64.exesrvinst_x64.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	Process
716	rutserv.exe
1004	rutserv.exe
1700	rutserv.exe
1856	srvinst_x64.exe
1652	srvinst_x64.exe
2932	setupdrv.exe
3036	setupdrv.exe
596	srvinst_x64.exe
784	VPDAgent_x64.exe
1412	srvinst_x64.exe
844	rutserv.exe
2956	rutserv.exe
2280	rutserv.exe
2092	rfusclient.exe
2648	rfusclient.exe
1736	rfusclient.exe

Loads dropped DLL 46 IoCs

Processes:

MsiExec.execmd.execmd.exespoolsv.exerutserv.exe

pid	Process
2996	MsiExec.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
2064	cmd.exe
868
868
2328	cmd.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
2328	cmd.exe
2328	cmd.exe
2280	rutserv.exe
2280	rutserv.exe

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow	pid	Process
3	2296	msiexec.exe
5	2296	msiexec.exe
7	2296	msiexec.exe
9	2296	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 33 IoCs

Processes:

spoolsv.exesetupdrv.exe

description	ioc	Process
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\unidrv_rms.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\unires_vpd.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rms.ini	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rmsui.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rms.gpd	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rms.gpd	setupdrv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rms.ini	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rmsui2.exe	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rms.ini	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rms.lng	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.hlp	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\stdnames_vpd.gpd	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rmsui2.exe	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rms.gpd	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rms.lng	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rms.lng	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rmsui.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\unires_vpd.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rmsui.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rmsui2.exe	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\unires_vpd.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.hlp	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\rms.BUD	spoolsv.exe
File created	C:\Windows\system32\rmspm.dll	setupdrv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\stdnames_vpd.gpd	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\unidrvui_rms.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\unidrvui_rms.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\unidrv_rms.hlp	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\stdnames_vpd.gpd	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\unidrvui_rms.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\rmspm.dll	setupdrv.exe

Drops file in Program Files directory 55 IoCs

Processes:

msiexec.exerutserv.exe

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2023-12.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2023-12.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe

Drops file in Windows directory 22 IoCs

Processes:

msiexec.exesrvinst_x64.exeDrvInst.exe

description	ioc	Process
File created	C:\Windows\Installer\f764b81.msi	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\VPDAgent_x64.exe	srvinst_x64.exe
File opened for modification	C:\Windows\Installer\f764b82.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\VPDAgent_x64.exe	srvinst_x64.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f764b82.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f764b81.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\f764b84.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C4E.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

spoolsv.exeDrvInst.exemsiexec.exerutserv.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\RMS Printer = "winspool,rms,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\RMS Printer = "winspool,rms"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers\DevModePerUser	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\RMS Printer = "winspool,rms"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rutserv.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\PackageName = "rms.host6.3ru.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\13A941B963765914F811F4CD6F8DD41E\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Version = "116129792"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\PackageCode = "60173EDF5317FBC43924C4F0466FEE4B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\ProductIcon = "C:\\Windows\\Installer\\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2424	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

msiexec.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	Process
1264	msiexec.exe
1264	msiexec.exe
716	rutserv.exe
716	rutserv.exe
716	rutserv.exe
716	rutserv.exe
1004	rutserv.exe
1004	rutserv.exe
1700	rutserv.exe
1700	rutserv.exe
1700	rutserv.exe
1700	rutserv.exe
844	rutserv.exe
844	rutserv.exe
2956	rutserv.exe
2956	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2280	rutserv.exe
2092	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid	Process
1736	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	2296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	1264	msiexec.exe
Token: SeTakeOwnershipPrivilege	1264	msiexec.exe
Token: SeSecurityPrivilege	1264	msiexec.exe
Token: SeCreateTokenPrivilege	2296	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2296	msiexec.exe
Token: SeLockMemoryPrivilege	2296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2296	msiexec.exe
Token: SeMachineAccountPrivilege	2296	msiexec.exe
Token: SeTcbPrivilege	2296	msiexec.exe
Token: SeSecurityPrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeLoadDriverPrivilege	2296	msiexec.exe
Token: SeSystemProfilePrivilege	2296	msiexec.exe
Token: SeSystemtimePrivilege	2296	msiexec.exe
Token: SeProfSingleProcessPrivilege	2296	msiexec.exe
Token: SeIncBasePriorityPrivilege	2296	msiexec.exe
Token: SeCreatePagefilePrivilege	2296	msiexec.exe
Token: SeCreatePermanentPrivilege	2296	msiexec.exe
Token: SeBackupPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeShutdownPrivilege	2296	msiexec.exe
Token: SeDebugPrivilege	2296	msiexec.exe
Token: SeAuditPrivilege	2296	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2296	msiexec.exe
Token: SeChangeNotifyPrivilege	2296	msiexec.exe
Token: SeRemoteShutdownPrivilege	2296	msiexec.exe
Token: SeUndockPrivilege	2296	msiexec.exe
Token: SeSyncAgentPrivilege	2296	msiexec.exe
Token: SeEnableDelegationPrivilege	2296	msiexec.exe
Token: SeManageVolumePrivilege	2296	msiexec.exe
Token: SeImpersonatePrivilege	2296	msiexec.exe
Token: SeCreateGlobalPrivilege	2296	msiexec.exe
Token: SeCreateTokenPrivilege	2296	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2296	msiexec.exe
Token: SeLockMemoryPrivilege	2296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2296	msiexec.exe
Token: SeMachineAccountPrivilege	2296	msiexec.exe
Token: SeTcbPrivilege	2296	msiexec.exe
Token: SeSecurityPrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeLoadDriverPrivilege	2296	msiexec.exe
Token: SeSystemProfilePrivilege	2296	msiexec.exe
Token: SeSystemtimePrivilege	2296	msiexec.exe
Token: SeProfSingleProcessPrivilege	2296	msiexec.exe
Token: SeIncBasePriorityPrivilege	2296	msiexec.exe
Token: SeCreatePagefilePrivilege	2296	msiexec.exe
Token: SeCreatePermanentPrivilege	2296	msiexec.exe
Token: SeBackupPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeShutdownPrivilege	2296	msiexec.exe
Token: SeDebugPrivilege	2296	msiexec.exe
Token: SeAuditPrivilege	2296	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2296	msiexec.exe
Token: SeChangeNotifyPrivilege	2296	msiexec.exe
Token: SeRemoteShutdownPrivilege	2296	msiexec.exe
Token: SeUndockPrivilege	2296	msiexec.exe
Token: SeSyncAgentPrivilege	2296	msiexec.exe
Token: SeEnableDelegationPrivilege	2296	msiexec.exe
Token: SeManageVolumePrivilege	2296	msiexec.exe
Token: SeImpersonatePrivilege	2296	msiexec.exe
Token: SeCreateGlobalPrivilege	2296	msiexec.exe
Token: SeCreateTokenPrivilege	2296	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msiexec.exerfusclient.exe

pid	Process
2296	msiexec.exe
2648	rfusclient.exe
2648	rfusclient.exe
2296	msiexec.exe
2648	rfusclient.exe
2648	rfusclient.exe
2648	rfusclient.exe
2648	rfusclient.exe
2648	rfusclient.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

rfusclient.exe

pid	Process
2648	rfusclient.exe
2648	rfusclient.exe
2648	rfusclient.exe
2648	rfusclient.exe
2648	rfusclient.exe
2648	rfusclient.exe
2648	rfusclient.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	Process
716	rutserv.exe
1004	rutserv.exe
1700	rutserv.exe
844	rutserv.exe
2956	rutserv.exe
2280	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exerutserv.execmd.execmd.exe

description	pid	Process	procid_target
PID 1264 wrote to memory of 2996	1264	msiexec.exe	29
PID 1264 wrote to memory of 2996	1264	msiexec.exe	29
PID 1264 wrote to memory of 2996	1264	msiexec.exe	29
PID 1264 wrote to memory of 2996	1264	msiexec.exe	29
PID 1264 wrote to memory of 2996	1264	msiexec.exe	29
PID 1264 wrote to memory of 2996	1264	msiexec.exe	29
PID 1264 wrote to memory of 2996	1264	msiexec.exe	29
PID 1264 wrote to memory of 716	1264	msiexec.exe	33
PID 1264 wrote to memory of 716	1264	msiexec.exe	33
PID 1264 wrote to memory of 716	1264	msiexec.exe	33
PID 1264 wrote to memory of 716	1264	msiexec.exe	33
PID 1264 wrote to memory of 1004	1264	msiexec.exe	34
PID 1264 wrote to memory of 1004	1264	msiexec.exe	34
PID 1264 wrote to memory of 1004	1264	msiexec.exe	34
PID 1264 wrote to memory of 1004	1264	msiexec.exe	34
PID 1264 wrote to memory of 1700	1264	msiexec.exe	35
PID 1264 wrote to memory of 1700	1264	msiexec.exe	35
PID 1264 wrote to memory of 1700	1264	msiexec.exe	35
PID 1264 wrote to memory of 1700	1264	msiexec.exe	35
PID 1700 wrote to memory of 2064	1700	rutserv.exe	36
PID 1700 wrote to memory of 2064	1700	rutserv.exe	36
PID 1700 wrote to memory of 2064	1700	rutserv.exe	36
PID 1700 wrote to memory of 2064	1700	rutserv.exe	36
PID 1700 wrote to memory of 2064	1700	rutserv.exe	36
PID 1700 wrote to memory of 2064	1700	rutserv.exe	36
PID 1700 wrote to memory of 2064	1700	rutserv.exe	36
PID 2064 wrote to memory of 1856	2064	cmd.exe	39
PID 2064 wrote to memory of 1856	2064	cmd.exe	39
PID 2064 wrote to memory of 1856	2064	cmd.exe	39
PID 2064 wrote to memory of 1856	2064	cmd.exe	39
PID 2064 wrote to memory of 2424	2064	cmd.exe	38
PID 2064 wrote to memory of 2424	2064	cmd.exe	38
PID 2064 wrote to memory of 2424	2064	cmd.exe	38
PID 2064 wrote to memory of 2424	2064	cmd.exe	38
PID 2064 wrote to memory of 1652	2064	cmd.exe	41
PID 2064 wrote to memory of 1652	2064	cmd.exe	41
PID 2064 wrote to memory of 1652	2064	cmd.exe	41
PID 2064 wrote to memory of 1652	2064	cmd.exe	41
PID 2064 wrote to memory of 2932	2064	cmd.exe	40
PID 2064 wrote to memory of 2932	2064	cmd.exe	40
PID 2064 wrote to memory of 2932	2064	cmd.exe	40
PID 2064 wrote to memory of 2932	2064	cmd.exe	40
PID 1700 wrote to memory of 2328	1700	rutserv.exe	44
PID 1700 wrote to memory of 2328	1700	rutserv.exe	44
PID 1700 wrote to memory of 2328	1700	rutserv.exe	44
PID 1700 wrote to memory of 2328	1700	rutserv.exe	44
PID 1700 wrote to memory of 2328	1700	rutserv.exe	44
PID 1700 wrote to memory of 2328	1700	rutserv.exe	44
PID 1700 wrote to memory of 2328	1700	rutserv.exe	44
PID 2328 wrote to memory of 3036	2328	cmd.exe	43
PID 2328 wrote to memory of 3036	2328	cmd.exe	43
PID 2328 wrote to memory of 3036	2328	cmd.exe	43
PID 2328 wrote to memory of 3036	2328	cmd.exe	43
PID 2328 wrote to memory of 596	2328	cmd.exe	47
PID 2328 wrote to memory of 596	2328	cmd.exe	47
PID 2328 wrote to memory of 596	2328	cmd.exe	47
PID 2328 wrote to memory of 596	2328	cmd.exe	47
PID 2328 wrote to memory of 1412	2328	cmd.exe	53
PID 2328 wrote to memory of 1412	2328	cmd.exe	53
PID 2328 wrote to memory of 1412	2328	cmd.exe	53
PID 2328 wrote to memory of 1412	2328	cmd.exe	53
PID 1264 wrote to memory of 844	1264	msiexec.exe	50
PID 1264 wrote to memory of 844	1264	msiexec.exe	50
PID 1264 wrote to memory of 844	1264	msiexec.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\rms.host6.3ru.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8D0E94ED00396D02933DB27A5273D76 C
  2⤵
  - Loads dropped DLL
  PID:2996
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:716
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1004
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /printerinstall
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2424
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe stop
      4⤵
      Executes dropped EXE
      PID:1856
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe
      setupdrv.exe uninstall
      4⤵
      Executes dropped EXE
      PID:2932
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe uninstall
      4⤵
      Executes dropped EXE
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe install
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:596
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe start
      4⤵
      Executes dropped EXE
      PID:1412
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /CONFIG /SETSECURITY
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2956
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1360

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2024

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe
setupdrv.exe install
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2100

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Registers new Print Monitor
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3064

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2280
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2648
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1736

C:\Windows\VPDAgent_x64.exe
C:\Windows\VPDAgent_x64.exe
1⤵
- Executes dropped EXE
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f764b83.rbs

Filesize
14KB

MD5
7e8dd361bf084963de1c63913caa3a19

SHA1
9f1b7aa62e8cb66fadb76a081aa6570fbf4c56a7

SHA256
defed1c1328cc738e34c781814cd9153ad75ec95ce6e761e15e769abf8018ef9

SHA512
6dcbbbfa780b76e918fb625dfb2378a3bb3cc0e6b80cd9cc772e52870f12703fe39dc4229250743fa5d26cc1a95205f4260e4379370a0123fd0c33711a43f3dd

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd

Filesize
68B

MD5
921adb25b2323226764ccface8bc087a

SHA1
0e657a741ec92704fe2e9b19f7eb0890cba02b1c

SHA256
e71036db28270fff2f386049abcd8b1340f66871c3c6cc64195c4de30d886464

SHA512
b91cc962438e4a7afd4324b81d84b3721dc44a49e9c674fa92a5363f8e393ba64bf99aca852b375620d7a4e84a09a8af591df4531346cc936559f80a91cdc999

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini

Filesize
40B

MD5
58ded3cb7ca70a6975c5419c62fdb51d

SHA1
274040c32983b7fbf01f65e41b375f255a78547d

SHA256
425dbedfc4a8a0672478b0b97e28568e5007e9813bba650fe727b252f43a0dfc

SHA512
c9f3b324adc89be54ccace827c0b0b759f8658a63a6c9689c2bc5f01388daa25b8ea80f8c3b624403a2cae784af5cf0e5a94919795263a31ab9769969fd08a42

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll

Filesize
59KB

MD5
226dd77b3bbfa913e8963188e62a2d36

SHA1
205826bd6310853eee6abab9b0e7a5f1d660a372

SHA256
4418601866821c20615b1385eb7055ae80b4a33a72367bcbc947a53dccf4f1c5

SHA512
05db5c46ce18d4f77fff826a3b1d1808916b1bb7818a495e6186fbd76302dda368984860e538f8a5c8815c8c8d915f446cc9ade90d2e444cbbd816cb2aa0de11

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
85392b6015e615ae21ea7014ddf937e6

SHA1
c1cb3b360c69db2f1cffe09c6e5572be00729997

SHA256
89f40a0e75c2bb865438b1c087adcc2796f5461b53596d1f2462d72733c289a6

SHA512
96a66e3000910cf7dbe35a3a4a9026771f2928bbed74ee18b040774b24ae37fc61b651c88d7d890a191c99539f74681c0bf5dd9c32413ccb7726f021866398fa

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll

Filesize
704KB

MD5
12a44c9f20cb218204ab04de54fbf9d0

SHA1
3c97345463d11782d34e3ec738a108d429b0e7e2

SHA256
418f62b2d544a6adf7982510f60d3f0b891aa8d73a05a116bd7de456e446ac4f

SHA512
7b83c1a0ea6077563da2852fdc16b6d4f1f2e3f424b49cd24f50d1cefc642797d2517f23272640c7b7009ae0dd0bfed93668a49580e49d8934a61c6dae448739

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd

Filesize
87B

MD5
24837286ab8b5537ea3967e0a7905238

SHA1
4f3dc09d2f0c9ede72577154b9954621dd30604b

SHA256
f6ebaa2bc59841b72aaf3c03c7bfea91c75ec1f982f497d6b3d7fb7271cacdf6

SHA512
6b0cfd707fbab7034ef45b4864329a9ad01f649216fe13aede6bf6488b50020da65f8a3776c1b125eebe08aef6a848d04a33de8277a2ad3827c8869af1368c00

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll

Filesize
481KB

MD5
c39f16614bda80efd6283faf4a085b96

SHA1
27af36b9da1d0530c4e52352c2c691c8a34174f9

SHA256
5e5352d5ddfd3735af4515cb72726c6db6a6ea85855e22f36947c7d1b774d8a2

SHA512
d653b883394c2ea8de516ba9f28e6a10653cf9d3cf63c8813141309c8ee403299d66ce49764be40dbccc115faa2f48651245c89072bf6a4d28035a58391ee3ae

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.6MB

MD5
3f3be1ca72f00c6522e4cd5754aa08b0

SHA1
0580df59ef477907bf29de9716b502a9fda63683

SHA256
7ebae3bb9616a962049bd6ef253f339c59cf1a1fabf682d11647f0821fe6a6ca

SHA512
031ec2281d09841ec85491d25eb00e39cd19c8678de99c2ce26ea414a0e37dbd39d0eb2632c1ef310ffa9afa2715f0069aa5e9154dac96bc760b1cdc325d63bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.7MB

MD5
a92ca0a38bcb1d0e0f6f6329269cfa4b

SHA1
7a7764a565bbe2e1251190005dcd962d8988e6fb

SHA256
50c2e3bfb89cd156f9d6465cc85ae9dd87837c2600123a4ff9690d9259ffe4ec

SHA512
c6ac4ba46206933ec05e0dea5f3f98d0b5963107c2779e566d7f4064435c9fe02a23ca91e3a8661f93b2fda924886e1ae41f09ed017c2b7dd6570d9ce8fce053

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.6MB

MD5
69b50f26109282ff21195e17dd7b2275

SHA1
b35c60e01d1e8cd42f17c39dbf2ddd4ad6d9abf2

SHA256
0e7b374fe7a42bf26dd976ddc2e68c698ede4da1cc222d629c96128c66ccadf3

SHA512
c9c08215dd87cb928c1a00b77650c4cd1b59531ef2c2a520cbf807efa93bd88568e9814e1154813de0b6c5c1e9acc6f6c657eee089b48b00fb3b760fb2d51ae5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.5MB

MD5
32398e83c0260e6a5567712fd6df3875

SHA1
cbc055cc0bd5dafbf2c5820b9694d1d28745afbe

SHA256
ac4b0d2f8cf3d10d54acaaecc085d4a498d9afb5950dc21ebf31b55498152d69

SHA512
6a242223cd2443d2827a48df64ae9d546a0a2861874f3f7626ba3ef2ec6c3cafd1294127229296405b0def2502c3204b65b4900417ae6558cc62469fb243a02c

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.4MB

MD5
853ffffe4d689eba601095c660ef5f40

SHA1
dccc675f2281824f54c3a121a5881bbf1229fa7d

SHA256
e805614daa823c982e80b7905086e822f58827b28a2728605834b7c638f7f3d2

SHA512
b611dae6b1fab85989e0ecb842512c39a1c35d1d0ae1458aff63498170adc61188e7c59c4577fba81f91cd4a332912129c766d1398647417a34859eefd011319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
604B

MD5
a8c8eb8bf71ea727e35148b09b26fec7

SHA1
f4ab4a15766b9d1e7253ecbb20973af8affbdb7c

SHA256
21c9949032173647ca9cd7fd03822577e2eaeefa0954974f9dd8a9d7ed4c0e13

SHA512
dc04414bf8dd78dafef8d5582ced4c8ab9e466354c03ddaa3014c1400934692a4dbabbf6200616e5364b4a69ce4192f283852a126c1e938a1705cd005d0c6d55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_6CEEC40E9BD29E4D838ABF9429DCF94C

Filesize
1KB

MD5
6d693ab6367aa9972f1b610f303b5583

SHA1
a35b0d21048534e781ff2636134b668ec05fa9ff

SHA256
939fa9d9098d2399260dc1c90bcd7092f6359383a7e3a39a11abcdd3cac81b72

SHA512
eb0d6ffa0e6471c7a515ad78e220926b9f05ee73f54ba85e959c1e5fb1e933df6ac574ae553b6cf97ad916677845b8b26eaab6bf9acdb33ce5a998af187164eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
394B

MD5
b89b0b273972a0e826c0e77877dcc997

SHA1
fe102aea9101aeccb47ba42d7ac0b08ddc99d25d

SHA256
80d3ff89fec91a65ab02c0997daa5c149f0c6eac620570de492ac26d6517c577

SHA512
8c891188f4819c54ccd0d6b02170fe39eb50b86778ddcc2165d3240c55a544712a91fe4523ad9520d2d66149d4da9eb029fdea0d461fb8be720d5e4956d91eea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
184B

MD5
cab373dd2f573e07b5e1ed732cbfe83b

SHA1
51455a510cea67270624258c7788493399f32bb8

SHA256
47dd7535c2399a109de752e6df5ea3728ae9ee7d264cf48dc2d0052896f271ed

SHA512
982b97e0adc68597ae6c738823e863ed84bb621cb1d5799db57112ed7c665676a231961592ef59932b0d59f98fc8288d378424d609ce4cbbeedf2e31cc8c0656

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_6CEEC40E9BD29E4D838ABF9429DCF94C

Filesize
402B

MD5
d9ccc48e701e0eb88944b54e6c73225c

SHA1
8f5b579186b99782e5445871b88eeb5a14332e68

SHA256
4e51053331df05e873fe4c275cf026834a894924931e30b5b5e1db9217fde44e

SHA512
fd6909efdf19493a885dbfe1c6b80fc57486a3d959f3009a3442bbc427754681a59bd819c2e8825c12337e6436fc317187d0d2d04cba2f5be6eb62f32c215527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2107372bc70a58cca193e1694cb25a65

SHA1
ec893b4c024f9d0919c95dad67f9620da1ded005

SHA256
0d20e115dacd649855f34e34cdf0aa21c40f4d736836ff6d70616732286493e9

SHA512
d8e3208f815eca3b8b01de1ed41bb1f373b02cbfa082c4599b70186011e5dd3f865472b828df33d55b9301924e3fb182da3ef4f4449701428ce551bd48f7520d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12B8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI157E.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12CB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Installer\f764b81.msi

Filesize
463KB

MD5
bcd65362a0e44f7a84e5ee8b8ad3b11c

SHA1
1e4f10ff345f91f3442f54e7fc8bcfd95db7e60e

SHA256
68f5365e666e37922af3efdede102b383fa460740f17ad836e451c185cdbea4c

SHA512
d87a56a937b32563edfa6d96a751fb49ed8750577b43adfb5d86b5ebc734158d2f27991e5291049e70e8d1a79dec385d80e3bd631783b1fc07108ec2062d7ab8

Download Submit
C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
C:\Windows\System32\rmspm.dll

Filesize
40KB

MD5
18bd1fe84876c70b1ed0fea62e95452a

SHA1
66ddb4c710ed73ef35698561397fc5b86464589c

SHA256
9b6a27c761136e89b32ceff1e8276c5d3b4c3a9f012e38f3e0e94a5c00e8952b

SHA512
6300e40fc75214a923c72012aab377c9a1837bee29d40ec07d048af378f28e5986f4c08b921c1d119821fc51179b9be1b02e33297293255ac7396976cfbe0784

Download Submit
C:\Windows\System32\spool\drivers\x64\3\rms.gpd

Filesize
14KB

MD5
151f3af412abd6bf05d160a70f8873d8

SHA1
0efcf48401d546ce101920496dcbbf3ab252ee87

SHA256
4c21b9663120b494d0f5112eb5f9e0aab4b659a5bf5d5301ee4d5a98abb20f25

SHA512
58513727d12cc915cd8445a078beb238aa3df28cc49b3733d487b0d3100f1c519b39f5b809ace618536e2d8951c1b3a58c0763a893bbd92a98c8e06575d92a4f

Download Submit
C:\Windows\System32\spool\drivers\x64\3\rms.lng

Filesize
25KB

MD5
de5b0b40318ceabef85c04260141b039

SHA1
450df0a73f682425f631af1bd8b1960490498427

SHA256
7633ce5b3d2f8fea91207cdc1b2252b81606be1b5ffafedd56220cfd07f36c49

SHA512
2afdbce31039b77761173a3d8a87970a99b152a97048a8710b0d5b4876bd7602dbbf8b5315fe5f4da69d093871ee59c626198371ccdea6180d7e651b871ac91b

Download Submit
C:\Windows\System32\spool\drivers\x64\3\rmsui.dll

Filesize
11KB

MD5
989bf93dc7ca89f93feb55a9a2e77522

SHA1
7a8fcc9cc9ee9049b2ec82665bbe3681ce02cdf9

SHA256
6a773270e0095828436c118a7e521dd7ca3330d56b4c2cbfcbbb5f80b1efd966

SHA512
ba0479698c6723f4cd7cb8ea4a79fb09d7e3a5a6f9d5a937a901816910c6007ecffb18da5f4f11b8e591693c9ed47ee483869fbfdb92b28950ae8bc0026d6934

Download Submit
C:\Windows\System32\spool\drivers\x64\3\stdnames_vpd.gpd

Filesize
14KB

MD5
7162d8977515a446d2c1e139da59ded5

SHA1
952f696c463b8410b1fa93a3b2b6dae416a81867

SHA256
2835a439c6ae22074bc3372491cb71e6c2b72d0c87ae3eee6065c6caadf1e5c8

SHA512
508f7ca3d4bc298534ab058f182755851051684f8d53306011f03875804c95e427428bd425dd13633eec79748bb64e78aad43e75b70cc5a3f0f4e6696dbb6d8e

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unidrv_rms.dll

Filesize
24KB

MD5
b484d33af649a64622dcb93f73f8d75f

SHA1
21d9e9586ea347d1caf0bf814f47a27c451da031

SHA256
b3876ccc4931497ca7d934572a6b102aecc5563bead1333b097f320873367b48

SHA512
0518c59182d94c674c2bb48e419f6462f48544e745827e78e8d24cf6d6b986d3bdfaabc02eb3d59944d2d3d6b3cb4df8493cb82fcc717ef9aba3761b8a335b5d

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unidrv_rms.hlp

Filesize
12KB

MD5
cc022a37cf294f4970592af365567c03

SHA1
3a61167790aba6ca0276fceb171ee052bc258d9f

SHA256
4b4f04dd5863ba2ddf37ec3f9790bd512e7a3c4e00030a50cbad9ede046096b0

SHA512
5681f271c71d66da579664dea11f0564118a24d39788ba74b444fbe252f6474e943c40994e648892cb802229b96c8b4669d50cdc90827c9d59be5b578f45a743

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unidrvui_rms.dll

Filesize
20KB

MD5
3830c0e673db24aa8ce86a6e615c4bdc

SHA1
a447203b4ebfc0c26d5aae2b9825c72bd8740c41

SHA256
6b447ac4c10f43ab05e76fe5170dd150b1dd7398dfb7f839a1f5590b733af29e

SHA512
b7699bede6ba2fae272be19e08e51db04b6136ece70f94029b96cdc3106e35925d0dc688b75958833eef7b0e980bdeda538d9cede70cfd347cd8cade4f832b0d

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
467KB

MD5
5dca2613daeb523d42c330ce01dec3a4

SHA1
55a23b5c2b3bd713e249d183934d05e73bea5ae9

SHA256
1bb9898534a15f96a054c8cbcb3ce22a086483e474e2e17949752affbc168231

SHA512
e5763130afd0d4c948e0b55606e37191c054ada026214beaecd6f606136922f1df035b115dbc229bc6ba41dc961005d0feea54ef55e7408bebc8adc0ded884be

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.hlp

Filesize
20KB

MD5
6798f64959c913673bd66cd4e47f4a65

SHA1
c50faa64c8267ac7106401e69da5c15fc3f2034c

SHA256
0c02b226be4e7397f8c98799e58b0a512515e462ccdaac04edc10e3e1091c011

SHA512
8d208306b6d0f892a2f16f8070a89d8edb968589896cb70cf46f43bf4befb7c4ca6a278c35fe8a2685cc784505efb77c32b0aabf80d13bcc0d10a39ae8afb55a

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\unidrvui_rms.dll

Filesize
638KB

MD5
2cf555227291c2c0a574c34f325d9123

SHA1
1c08004d97e6ebaa29c5d9db4de6bffa2b1b463a

SHA256
2a8b666024a9aba47d82fa089addc79380eb11dc3daf119880ec58d3c299dde0

SHA512
1de9892d72d68e264289ddcf1e8b2126624a256444ed8baaf2317bfa2fe7a6691e2d47a74335762ac4c1aac5b79f8e1d602fead76d2289d323831f45302b2c3a

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\unires_vpd.dll

Filesize
468KB

MD5
53cb8943b87ccc936cd729c657e41496

SHA1
d3316376346bcf211dcf4abcfea4839972fec79d

SHA256
5fcb2291cce1afa2d210231e37a5145f299b2cb68085f149eb876ece88cbab98

SHA512
8df9ed9e727fec158ede0615905a2239381db950e71fa01c64187e5fbeb1662368a16afccd02f405b40d780412a0693d43986c4fc10ae06bd38c15fff2f09cc6

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
2ea197013915eff8ab9e6e17f4973148

SHA1
49b51a293637776d17bb0296aeb5d311319028b0

SHA256
0a07a14373634cffa28988eb3f17b6598bf6fd562e5c095a44a903e16112ac78

SHA512
43cd01403c76bb1885d210e2a1a72a1dd3623938ffe422300513f74d4106caaed7fde8b513153297b703c7cd2db50b8d9caa113c08d176fe7a733cb6a5378555

Download Submit
\Windows\System32\rmspm.dll

Filesize
38KB

MD5
15c83325b88c39736518305aba860cbe

SHA1
dea0aa1dfbd47818caad32f6c7d42e931be5b982

SHA256
dc248baa22f50865e651e0f430d358ff4463bc1905e9cf52327c50d4e024d660

SHA512
0b12a762e2da1ce7728a4a00ef45bc0fb6da3f404d15b213e35c8e9df29b3974cddb4ed160c269dd85126fd8d0b37db66accab35b9131814c5b40a829eef7719

Download Submit
\Windows\System32\spool\drivers\x64\rmsui.dll

Filesize
24KB

MD5
27cdbafd9c2f5d76f919500bb140362f

SHA1
8085a45a8cb9c1667e75929ba29d788d205cb9a9

SHA256
fd635d2c45ef137d5ab9947d3090d5e8cb7501ade21c954922fd14adb1db084b

SHA512
d2ac0fdce101a618d0c77e69b81ceaa9d2ace81e38029e36c13a479e1e6cf3b46c0abea88dbc4e5a80da0d21a2dc12761dc0db847584f3f9907b27f106618e5d

Download Submit
\Windows\System32\spool\drivers\x64\rmsui2.exe

Filesize
214KB

MD5
d365140d7485cb00487cce3825b7344e

SHA1
7088c5e6832b797266c28a0734d9b3071e35b959

SHA256
83b5fd45c964c257b7508b6e354b2355121bea0a9b68d5c3b3ae443773cf7ce4

SHA512
645415fbc4aec9ab613f6e0c351a40c846fa7e45a7d089978a3c784ff4adbdf5c82d2f870f8422bac20332e6d187e57a84b1bd3b46d35713b2177e5f6a3d7ba7

Download Submit
\Windows\System32\spool\drivers\x64\unidrv_rms.dll

Filesize
83KB

MD5
baa1af562da1e79c08d467367c221818

SHA1
b39c4b96ca4a9355e73b9402f876db5b20a2a58f

SHA256
8fedf66355c3e68f205e77e72554fee537adefd65f20dbaadbbc36dd5f0150af

SHA512
98ea84eb7bcab5b14aa961b555f29b5efb9269a2cc3aa40ac469f5cddbad0bf82e40f6e724340049d40633d64d284f5c822a0377358f07a5040bea221b0c8538

Download Submit
\Windows\System32\spool\drivers\x64\unidrv_rms.dll

Filesize
473KB

MD5
22820e2e00c4295eceae881abe40342e

SHA1
295f11023c5f41ee61a5a384c11a38ea1abdc144

SHA256
bbd59d7361baa6acce7aa39ddb446eb8e777c0dbc83bc59fcf1e298826fa065a

SHA512
ba63efd96f3e51d927ac143bc0380a267840f88fd85f1188c21080a224fda69a275c730a9ddaec54041eacd6618ce11633cc61026420e9e8696878e8c488d3b9

Download Submit
\Windows\System32\spool\drivers\x64\unidrv_rms.dll

Filesize
391KB

MD5
8a60de756aba257bbd55686fafa3b67f

SHA1
579574e540eed99558cbe9730dbb9ef241db6902

SHA256
1fb9541edec012afb49b2c9c233a23bd87a689be5babeae09a66da8dc43a1dbc

SHA512
25a5c152317c4c03b51e9eaeab22035d08981e6ef06bc05b05bfadd4eda4fa41b576549c9325bd9a9aa0446ddf6db0f0c8d8f7ea746956749af4ded126cc5127

Download Submit
\Windows\System32\spool\drivers\x64\unidrvui_rms.dll

Filesize
519KB

MD5
0bb409358f6bf9af43d5c95ef6ca2ddf

SHA1
fc8b957c8e480924c3bb0c819241c718396d195f

SHA256
f67f0c485e34daaa39a87adb0551c893cd15d2023cf4439d22c19ff6c33a270b

SHA512
79b6dc57a02f94bf3969723b25d13b1c264a3cc06766e687e1da6770d4d13c93f32465216306226827316906e96654f62e39d2952f643c2c1b230afea27bdc56

Download Submit
\Windows\System32\spool\drivers\x64\unidrvui_rms.dll

Filesize
557KB

MD5
f0d35eb7b8cb5a5bef9c86b7b0c6a898

SHA1
9620061dcd2b9c3c8ccedbdb5be845a7e8b40386

SHA256
b9e6cec3422e7e3705cc5810b81ab0adf5a9a11eee4529e7f1ca6f04b6ef263c

SHA512
eb1a129d8f40d38980f34a8383ccd444ddef1bdc4ee526a430143f553911e07102998792930809af2d0ff8253c711854ee9f93c8f5f5076ff218267c73c6a18e

Download Submit
\Windows\System32\spool\drivers\x64\unires_vpd.dll

Filesize
619KB

MD5
fedfcf244481d4bc30fc1170b0f7dbb1

SHA1
6252b322b993bdd998d1035ba9418b9eaef060d7

SHA256
ab10c380c602dfb61e742cceb31b915e86ea8ba970d13d6cedaff40f464d024e

SHA512
b6885a72dab55b8e709940c8605ee36e640f3f6e31b547d27f5d26ecca002f910bbca8c1f3e48b59825cc993f7c8e3cc15b24d0425c1e05badd45b9933542824

Download Submit
\Windows\System32\spool\drivers\x64\unires_vpd.dll

Filesize
507KB

MD5
be4d8ddbe3d22528a9c8ac24abe46c1e

SHA1
a2f5fd391bc38abafaecfd196ba0e7cc8bf1a129

SHA256
795f6b98149d17518b4f61639298eed32bb007708b3826529be6d496fbf23910

SHA512
a751c7258aec9701b24f8048d6ea0cf767318a790c9f3b58f5ff08c0a5f802c1db35c2de54296fd66976b19600126adb3d86a7f7c57974c25e72cfc5f9a56133

Download Submit
memory/716-159-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/716-161-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/844-341-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/844-347-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1004-164-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1004-163-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1700-340-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1700-339-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1700-166-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1736-353-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1736-352-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2092-356-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2092-345-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2092-374-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2280-405-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2280-355-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2280-376-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2280-343-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2280-416-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2280-413-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2280-409-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2280-372-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2280-393-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2280-398-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2648-415-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2648-378-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2648-375-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2648-395-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2648-425-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2648-400-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2648-346-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2648-407-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2648-371-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2648-411-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2648-357-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2956-354-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2956-342-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2956-358-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download