rms | fb48076d93e8705240d11e770cb928e79c4514cc4336e17bc845af33fedeb810

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2023 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rms.host6.3ru.msi
Size

7.6MB
MD5

4dc446d219e73f5218ad16b0f2c633d4
SHA1

0a4e6de0272180db99a6ad04a74da2ba129ea873
SHA256

fb48076d93e8705240d11e770cb928e79c4514cc4336e17bc845af33fedeb810
SHA512

8768ba91e9ff5f0b8dbab1977876d1058824d2f07b58184fcab8a76c60db210b459bd32a04e038a6fec8946c5021eef214c90289ca1af94a27069365311cc9b4
SSDEEP

196608:vw5w5SwnqgSGGmDW7dgf/668YsAtDyL4:4GwwnqLiDU+fS2

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Registers new Print Monitor 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\rmsm	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\rmsm\Ports\rms	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\rmsm\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\rmsm\Driver = "rmspm.dll"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	spoolsv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rfusclient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 17 IoCs

Processes:

rutserv.exerutserv.exerutserv.exesrvinst_x64.exesrvinst_x64.exesetupdrv.exesetupdrv.exesrvinst_x64.exeVPDAgent_x64.exesrvinst_x64.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exerutserv.exe

pid	Process
816	rutserv.exe
1816	rutserv.exe
3080	rutserv.exe
1828	srvinst_x64.exe
5048	srvinst_x64.exe
4832	setupdrv.exe
2272	setupdrv.exe
2312	srvinst_x64.exe
2392	VPDAgent_x64.exe
3556	srvinst_x64.exe
712	rutserv.exe
1188	rutserv.exe
3060	rutserv.exe
4564	rfusclient.exe
4752	rfusclient.exe
876	rfusclient.exe
3612	rutserv.exe

Loads dropped DLL 28 IoCs

Processes:

MsiExec.exespoolsv.exe

pid	Process
4292	MsiExec.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow	pid	Process
7	216	msiexec.exe
10	216	msiexec.exe
12	216	msiexec.exe
15	216	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 39 IoCs

Processes:

spoolsv.exesetupdrv.exerutserv.exerutserv.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rms.gpd	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rms.ini	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\unidrvui_rms.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\unidrv_rms.hlp	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.hlp	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rms.ini	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.dll	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\stdnames_vpd.gpd	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rmsui.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\unidrvui_rms.dll	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File created	C:\Windows\system32\rmspm.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\stdnames_vpd.gpd	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\unidrv_rms.dll	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rmsui2.exe	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rmsui2.exe	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rms.lng	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\system32\rmspm.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\unidrvui_rms.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rms.ini	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rms.lng	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\unires_vpd.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\rmsui2.exe	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\rms.BUD	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rmsui.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rms.lng	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rmsui.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\unires_vpd.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\stdnames_vpd.gpd	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\rms.gpd	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.hlp	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\unires_vpd.dll	setupdrv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\rms.gpd	spoolsv.exe

Drops file in Program Files directory 57 IoCs

Processes:

msiexec.exerutserv.exerutserv.exe

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.pdb	rutserv.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2023-12.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2023-12.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.pdb	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe

Drops file in Windows directory 20 IoCs

Processes:

msiexec.exesrvinst_x64.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\VPDAgent_x64.exe	srvinst_x64.exe
File created	C:\Windows\Installer\e57aae6.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9B149A31-6736-4195-8F11-4FDCF6D84DE1}	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e57aae6.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\e57aae8.msi	msiexec.exe
File opened for modification	C:\Windows\VPDAgent_x64.exe	srvinst_x64.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC0F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exespoolsv.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cdbedf05adb60d680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cdbedf050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cdbedf05000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcdbedf05000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cdbedf0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 36 IoCs

Processes:

spoolsv.exerutserv.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rutserv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rutserv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\RMS Printer = "winspool,rms,15,45"	spoolsv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers\DevModePerUser	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\RMS Printer = "winspool,rms"	spoolsv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rutserv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\RMS Printer = "winspool,rms,15,45"	spoolsv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rutserv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\RMS Printer = "winspool,rms"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers\ConvertUserDevModesCount	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Language = "1049"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\PackageCode = "60173EDF5317FBC43924C4F0466FEE4B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\ProductIcon = "C:\\Windows\\Installer\\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\PackageName = "rms.host6.3ru.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\13A941B963765914F811F4CD6F8DD41E\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\Version = "116129792"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\13A941B963765914F811F4CD6F8DD41E\DeploymentFlags = "3"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1620	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msiexec.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerutserv.exe

pid	Process
2352	msiexec.exe
2352	msiexec.exe
816	rutserv.exe
816	rutserv.exe
816	rutserv.exe
816	rutserv.exe
816	rutserv.exe
816	rutserv.exe
1816	rutserv.exe
1816	rutserv.exe
3080	rutserv.exe
3080	rutserv.exe
3080	rutserv.exe
3080	rutserv.exe
712	rutserv.exe
712	rutserv.exe
1188	rutserv.exe
1188	rutserv.exe
3060	rutserv.exe
3060	rutserv.exe
3060	rutserv.exe
3060	rutserv.exe
3060	rutserv.exe
3060	rutserv.exe
4564	rfusclient.exe
4564	rfusclient.exe
3612	rutserv.exe
3612	rutserv.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid	Process
876	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	216	msiexec.exe
Token: SeSecurityPrivilege	2352	msiexec.exe
Token: SeCreateTokenPrivilege	216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	216	msiexec.exe
Token: SeLockMemoryPrivilege	216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	216	msiexec.exe
Token: SeMachineAccountPrivilege	216	msiexec.exe
Token: SeTcbPrivilege	216	msiexec.exe
Token: SeSecurityPrivilege	216	msiexec.exe
Token: SeTakeOwnershipPrivilege	216	msiexec.exe
Token: SeLoadDriverPrivilege	216	msiexec.exe
Token: SeSystemProfilePrivilege	216	msiexec.exe
Token: SeSystemtimePrivilege	216	msiexec.exe
Token: SeProfSingleProcessPrivilege	216	msiexec.exe
Token: SeIncBasePriorityPrivilege	216	msiexec.exe
Token: SeCreatePagefilePrivilege	216	msiexec.exe
Token: SeCreatePermanentPrivilege	216	msiexec.exe
Token: SeBackupPrivilege	216	msiexec.exe
Token: SeRestorePrivilege	216	msiexec.exe
Token: SeShutdownPrivilege	216	msiexec.exe
Token: SeDebugPrivilege	216	msiexec.exe
Token: SeAuditPrivilege	216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	216	msiexec.exe
Token: SeChangeNotifyPrivilege	216	msiexec.exe
Token: SeRemoteShutdownPrivilege	216	msiexec.exe
Token: SeUndockPrivilege	216	msiexec.exe
Token: SeSyncAgentPrivilege	216	msiexec.exe
Token: SeEnableDelegationPrivilege	216	msiexec.exe
Token: SeManageVolumePrivilege	216	msiexec.exe
Token: SeImpersonatePrivilege	216	msiexec.exe
Token: SeCreateGlobalPrivilege	216	msiexec.exe
Token: SeCreateTokenPrivilege	216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	216	msiexec.exe
Token: SeLockMemoryPrivilege	216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	216	msiexec.exe
Token: SeMachineAccountPrivilege	216	msiexec.exe
Token: SeTcbPrivilege	216	msiexec.exe
Token: SeSecurityPrivilege	216	msiexec.exe
Token: SeTakeOwnershipPrivilege	216	msiexec.exe
Token: SeLoadDriverPrivilege	216	msiexec.exe
Token: SeSystemProfilePrivilege	216	msiexec.exe
Token: SeSystemtimePrivilege	216	msiexec.exe
Token: SeProfSingleProcessPrivilege	216	msiexec.exe
Token: SeIncBasePriorityPrivilege	216	msiexec.exe
Token: SeCreatePagefilePrivilege	216	msiexec.exe
Token: SeCreatePermanentPrivilege	216	msiexec.exe
Token: SeBackupPrivilege	216	msiexec.exe
Token: SeRestorePrivilege	216	msiexec.exe
Token: SeShutdownPrivilege	216	msiexec.exe
Token: SeDebugPrivilege	216	msiexec.exe
Token: SeAuditPrivilege	216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	216	msiexec.exe
Token: SeChangeNotifyPrivilege	216	msiexec.exe
Token: SeRemoteShutdownPrivilege	216	msiexec.exe
Token: SeUndockPrivilege	216	msiexec.exe
Token: SeSyncAgentPrivilege	216	msiexec.exe
Token: SeEnableDelegationPrivilege	216	msiexec.exe
Token: SeManageVolumePrivilege	216	msiexec.exe
Token: SeImpersonatePrivilege	216	msiexec.exe
Token: SeCreateGlobalPrivilege	216	msiexec.exe
Token: SeCreateTokenPrivilege	216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	216	msiexec.exe
Token: SeLockMemoryPrivilege	216	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msiexec.exerfusclient.exerutserv.exe

pid	Process
216	msiexec.exe
4752	rfusclient.exe
4752	rfusclient.exe
216	msiexec.exe
4752	rfusclient.exe
4752	rfusclient.exe
4752	rfusclient.exe
3612	rutserv.exe
3612	rutserv.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

rfusclient.exe

pid	Process
4752	rfusclient.exe
4752	rfusclient.exe
4752	rfusclient.exe
4752	rfusclient.exe
4752	rfusclient.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	Process
816	rutserv.exe
1816	rutserv.exe
3080	rutserv.exe
712	rutserv.exe
1188	rutserv.exe
3060	rutserv.exe
3612	rutserv.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

msiexec.exerutserv.execmd.execmd.exerutserv.exerfusclient.exerfusclient.exe

description	pid	Process	procid_target
PID 2352 wrote to memory of 4292	2352	msiexec.exe	94
PID 2352 wrote to memory of 4292	2352	msiexec.exe	94
PID 2352 wrote to memory of 4292	2352	msiexec.exe	94
PID 2352 wrote to memory of 4684	2352	msiexec.exe	100
PID 2352 wrote to memory of 4684	2352	msiexec.exe	100
PID 2352 wrote to memory of 816	2352	msiexec.exe	102
PID 2352 wrote to memory of 816	2352	msiexec.exe	102
PID 2352 wrote to memory of 816	2352	msiexec.exe	102
PID 2352 wrote to memory of 1816	2352	msiexec.exe	103
PID 2352 wrote to memory of 1816	2352	msiexec.exe	103
PID 2352 wrote to memory of 1816	2352	msiexec.exe	103
PID 2352 wrote to memory of 3080	2352	msiexec.exe	104
PID 2352 wrote to memory of 3080	2352	msiexec.exe	104
PID 2352 wrote to memory of 3080	2352	msiexec.exe	104
PID 3080 wrote to memory of 840	3080	rutserv.exe	105
PID 3080 wrote to memory of 840	3080	rutserv.exe	105
PID 3080 wrote to memory of 840	3080	rutserv.exe	105
PID 840 wrote to memory of 1828	840	cmd.exe	107
PID 840 wrote to memory of 1828	840	cmd.exe	107
PID 840 wrote to memory of 1620	840	cmd.exe	108
PID 840 wrote to memory of 1620	840	cmd.exe	108
PID 840 wrote to memory of 1620	840	cmd.exe	108
PID 840 wrote to memory of 5048	840	cmd.exe	115
PID 840 wrote to memory of 5048	840	cmd.exe	115
PID 840 wrote to memory of 4832	840	cmd.exe	114
PID 840 wrote to memory of 4832	840	cmd.exe	114
PID 3080 wrote to memory of 4028	3080	rutserv.exe	116
PID 3080 wrote to memory of 4028	3080	rutserv.exe	116
PID 3080 wrote to memory of 4028	3080	rutserv.exe	116
PID 4028 wrote to memory of 2272	4028	cmd.exe	117
PID 4028 wrote to memory of 2272	4028	cmd.exe	117
PID 4028 wrote to memory of 2312	4028	cmd.exe	121
PID 4028 wrote to memory of 2312	4028	cmd.exe	121
PID 4028 wrote to memory of 3556	4028	cmd.exe	122
PID 4028 wrote to memory of 3556	4028	cmd.exe	122
PID 2352 wrote to memory of 712	2352	msiexec.exe	125
PID 2352 wrote to memory of 712	2352	msiexec.exe	125
PID 2352 wrote to memory of 712	2352	msiexec.exe	125
PID 2352 wrote to memory of 1188	2352	msiexec.exe	124
PID 2352 wrote to memory of 1188	2352	msiexec.exe	124
PID 2352 wrote to memory of 1188	2352	msiexec.exe	124
PID 3060 wrote to memory of 4564	3060	rutserv.exe	128
PID 3060 wrote to memory of 4564	3060	rutserv.exe	128
PID 3060 wrote to memory of 4564	3060	rutserv.exe	128
PID 3060 wrote to memory of 4752	3060	rutserv.exe	127
PID 3060 wrote to memory of 4752	3060	rutserv.exe	127
PID 3060 wrote to memory of 4752	3060	rutserv.exe	127
PID 4564 wrote to memory of 876	4564	rfusclient.exe	129
PID 4564 wrote to memory of 876	4564	rfusclient.exe	129
PID 4564 wrote to memory of 876	4564	rfusclient.exe	129
PID 4752 wrote to memory of 3612	4752	rfusclient.exe	134
PID 4752 wrote to memory of 3612	4752	rfusclient.exe	134
PID 4752 wrote to memory of 3612	4752	rfusclient.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\rms.host6.3ru.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C6656C2707AFDE7C354897C1479AC808 C
  2⤵
  - Loads dropped DLL
  PID:4292
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4684
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:816
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /printerinstall
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe stop
      4⤵
      Executes dropped EXE
      PID:1828
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1620
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe
      setupdrv.exe uninstall
      4⤵
      Executes dropped EXE
      PID:4832
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe uninstall
      4⤵
      Executes dropped EXE
      PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe
      setupdrv.exe install
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2272
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe install
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2312
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe start
      4⤵
      Executes dropped EXE
      PID:3556
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /CONFIG /SETSECURITY
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1188
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Registers new Print Monitor
- Loads dropped DLL
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4172

C:\Windows\VPDAgent_x64.exe
C:\Windows\VPDAgent_x64.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /config
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3612
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57aae7.rbs

Filesize
15KB

MD5
b7045ebb8242998badafc33b56789deb

SHA1
51b681affe275bb1511f1b24c49376e349b512dc

SHA256
d945a092effdc3173a877b5afd3a6024cabf9ce3078e836ef625227e20d0a840

SHA512
778a950b5d1de45302222888985c588a8438557a98767bfac98ebc324b48f54ef7a73434626c17c8ebbfd1099f1ccaebef14344691be3ebab3451d4747577313

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd

Filesize
68B

MD5
921adb25b2323226764ccface8bc087a

SHA1
0e657a741ec92704fe2e9b19f7eb0890cba02b1c

SHA256
e71036db28270fff2f386049abcd8b1340f66871c3c6cc64195c4de30d886464

SHA512
b91cc962438e4a7afd4324b81d84b3721dc44a49e9c674fa92a5363f8e393ba64bf99aca852b375620d7a4e84a09a8af591df4531346cc936559f80a91cdc999

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll

Filesize
59KB

MD5
226dd77b3bbfa913e8963188e62a2d36

SHA1
205826bd6310853eee6abab9b0e7a5f1d660a372

SHA256
4418601866821c20615b1385eb7055ae80b4a33a72367bcbc947a53dccf4f1c5

SHA512
05db5c46ce18d4f77fff826a3b1d1808916b1bb7818a495e6186fbd76302dda368984860e538f8a5c8815c8c8d915f446cc9ade90d2e444cbbd816cb2aa0de11

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
2ea197013915eff8ab9e6e17f4973148

SHA1
49b51a293637776d17bb0296aeb5d311319028b0

SHA256
0a07a14373634cffa28988eb3f17b6598bf6fd562e5c095a44a903e16112ac78

SHA512
43cd01403c76bb1885d210e2a1a72a1dd3623938ffe422300513f74d4106caaed7fde8b513153297b703c7cd2db50b8d9caa113c08d176fe7a733cb6a5378555

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
85392b6015e615ae21ea7014ddf937e6

SHA1
c1cb3b360c69db2f1cffe09c6e5572be00729997

SHA256
89f40a0e75c2bb865438b1c087adcc2796f5461b53596d1f2462d72733c289a6

SHA512
96a66e3000910cf7dbe35a3a4a9026771f2928bbed74ee18b040774b24ae37fc61b651c88d7d890a191c99539f74681c0bf5dd9c32413ccb7726f021866398fa

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll

Filesize
460KB

MD5
456991cb7c030610a5436a3f4bd3bde0

SHA1
512aca65661dea1aeb82bcb3d84fca69933d004e

SHA256
0991b9f53a0767516d5b67df8a672f2ecc01505fb92511733b0d1b712b14c2e1

SHA512
a9b1ad854c5198800fc7759fd4222211abc8516280e246842e763799e82808e976e1f8d19b831a404f7cbe4026d31c3badee18ee17877460c9163eeb888e18a8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp

Filesize
20KB

MD5
6798f64959c913673bd66cd4e47f4a65

SHA1
c50faa64c8267ac7106401e69da5c15fc3f2034c

SHA256
0c02b226be4e7397f8c98799e58b0a512515e462ccdaac04edc10e3e1091c011

SHA512
8d208306b6d0f892a2f16f8070a89d8edb968589896cb70cf46f43bf4befb7c4ca6a278c35fe8a2685cc784505efb77c32b0aabf80d13bcc0d10a39ae8afb55a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll

Filesize
451KB

MD5
c4223785cafe2e7c375b2214931c67f0

SHA1
2955bc33d6367bf481c5c236cde840641c69cd92

SHA256
3028a4355251f02971b49bb064ae95466ee497b4fed6e7012f5f44ee56889189

SHA512
ae9749d93a1c8a7971565027193e23c347b64f36a3fb988cfb36e0d2a1d72895125de8aebdb1a11ec7665fb8e1af3fc21e902d677305cbab04d608b0a62316c5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd

Filesize
87B

MD5
24837286ab8b5537ea3967e0a7905238

SHA1
4f3dc09d2f0c9ede72577154b9954621dd30604b

SHA256
f6ebaa2bc59841b72aaf3c03c7bfea91c75ec1f982f497d6b3d7fb7271cacdf6

SHA512
6b0cfd707fbab7034ef45b4864329a9ad01f649216fe13aede6bf6488b50020da65f8a3776c1b125eebe08aef6a848d04a33de8277a2ad3827c8869af1368c00

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll

Filesize
466KB

MD5
1f477b9e150dfc69632c4235642b51e2

SHA1
e9d002f306f1da6afbd1bb748629f5b74fa5eb31

SHA256
c5ad889aa974db88e9c59e0cdbf96eae6566de8d0e552c267969451b70b91829

SHA512
6810395c6ed4f0d2a111a5776f62e5eaff6e8c425be0c66b95c7baa643926be4f777b2704087ff3fd2045000c14f8ebb44bdb3c4e23fc104e4151a9a5cc9e531

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.7MB

MD5
a7815c179c1528cdad0200b2ab5b5bb4

SHA1
033bf75a6cecacb83ece411077468aad2742decf

SHA256
20a385812e01812f7c98ad035b47638a7489166b0c5e21662791f9026965474b

SHA512
e15a8530e03dac1fb7bb03069dcfaf36cbdf7ebcbb8c9e2bcf5c05259c683af8fd72f6993157885de6e127f054e1d978f81f89f1ddc937284027986b472017dd

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
826KB

MD5
271a70b3c74e3bf71f008e5246608ae9

SHA1
c2fe9984eb006f1d354ad9634ccc115e03f5cc1b

SHA256
5bc58425ca629baeb0a1115ec3c090cc942495ef6270aea7a28744c7c18b96ec

SHA512
dd40f38435901c8ae2f96763bc0f436922632636a6cc55b6bc9f9bd4d68404680db6073c2b2cade7896d6b378841fee4b2673b8d6e9b9c25dba370d3beb52434

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
855KB

MD5
9986010f7a89e25797bed28bf5167bff

SHA1
ba7f66915a591848d8418871e1b74a6ee620b510

SHA256
d800671302af705ee6f3011921a5dfb6e5627731c74409b0277698db700e8b14

SHA512
b19d50aa111b5475a7ddf694160183ae1870e11e86fe904788c148c320a4b69e7beeff15de97b448d5e6125b478834aadb3b0093aee1e4b732ab464dbb234266

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
260KB

MD5
ea23f1f8f7f27ea0f9a96019e40cb83f

SHA1
70afbe28e3dc47f657e8980743f737bd3617d810

SHA256
5e0c3cbd4e755c526b761bcfa2f908bb880806b3bc0372c16d22c19ab2c77a4c

SHA512
95362ab3d311a4b1c2e328c280ff5462f2d8bb441c92fff0194f729f008b52ee26eb0cf9efe2efd69c8ebe03c3213cedaa6385d3732d0487772779e460b4f8c0

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.4MB

MD5
53374737ec825716bcc38110693ca775

SHA1
bc73e6b973cfd8cb1713948aa0bb39bd7fb3d018

SHA256
5254a5a1e022aa78eabe27d3432819bac33406b029a1f8fff8186c326831b7ba

SHA512
c8f63c72d62218d67578b92ced52102b4ca96f55f3f5bf051c08b5c5a388872fac660ae9488137bc221e41ce4ee8b35e275ddc4e2d9550d47713d86a77840987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
604B

MD5
a8c8eb8bf71ea727e35148b09b26fec7

SHA1
f4ab4a15766b9d1e7253ecbb20973af8affbdb7c

SHA256
21c9949032173647ca9cd7fd03822577e2eaeefa0954974f9dd8a9d7ed4c0e13

SHA512
dc04414bf8dd78dafef8d5582ced4c8ab9e466354c03ddaa3014c1400934692a4dbabbf6200616e5364b4a69ce4192f283852a126c1e938a1705cd005d0c6d55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_6CEEC40E9BD29E4D838ABF9429DCF94C

Filesize
1KB

MD5
6d693ab6367aa9972f1b610f303b5583

SHA1
a35b0d21048534e781ff2636134b668ec05fa9ff

SHA256
939fa9d9098d2399260dc1c90bcd7092f6359383a7e3a39a11abcdd3cac81b72

SHA512
eb0d6ffa0e6471c7a515ad78e220926b9f05ee73f54ba85e959c1e5fb1e933df6ac574ae553b6cf97ad916677845b8b26eaab6bf9acdb33ce5a998af187164eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
394B

MD5
a7d17b26e3e911cf3d5dc19cb3cf7df7

SHA1
a195e53db22a2775779fdd47e7462c19ed7739e3

SHA256
37c529b5f6f198d0d7c52e65fe4d53daceeb15a8ae6de5e4f86a23d422c4feba

SHA512
45585dc1c772265ce742600feceaddb0a76cec77535cea00b8ff525d2ccc97da798ae5ece673d369408ecad1d9b348933c0aaf0474ce760e0f1f14d7f14ad106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
184B

MD5
364b4dcdead7e98b1d4cb1641640bfcf

SHA1
eaaa039fd2182f9be90b466afef5a2189c93bf0a

SHA256
5e11da5dbf6ca504a5c257dcefdd1c8ca1748886eea60bb6d71f699ee871e1a0

SHA512
30c3c329e47a57cd3bb0e5b93b26c4b3bf4b9b0a7ec18e95c26a844894077d17d21d4d6e6bf04b0666d692b0164200b70b442cae678d8c1f207169cdc9193112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_6CEEC40E9BD29E4D838ABF9429DCF94C

Filesize
402B

MD5
3edee7e4b515708aeb8b296ed3e4e57a

SHA1
2e82b4e6ae477d72003451744f29da7749d6857f

SHA256
ebd46e2d997e03973fa497f5ef7e36a53877939b3a3559531911f97e6180bb60

SHA512
f6c2d07a9b1e5e3b963b84271785810edfb95622f22dabdfcdac411f38a88eafc51ade29f9c35ab4ed066fa59c5ed93313b78cb00ccf0bcb92b227fb5372d7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B9F.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\e57aae6.msi

Filesize
3.4MB

MD5
227a8cefdefbb7303b0b3a4d0a217e5c

SHA1
68d70cccad7ef3baa5e6a48a5f69d857c8c8a85a

SHA256
b4b61aed1472955d19f8b766e3a00cddd07ce40da500faffe0632305fead3c93

SHA512
171e2af8d6fbbf2cd8e18e23d7fd95ec414f7225113869355221b1ce96d1eb62ca00877ca52db98cb71e2c2ae2f072b6985b5ebd0af1e1f97aeb769029749609

Download Submit
C:\Windows\Installer\{9B149A31-6736-4195-8F11-4FDCF6D84DE1}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
C:\Windows\System32\spool\drivers\x64\3\rms.gpd

Filesize
14KB

MD5
151f3af412abd6bf05d160a70f8873d8

SHA1
0efcf48401d546ce101920496dcbbf3ab252ee87

SHA256
4c21b9663120b494d0f5112eb5f9e0aab4b659a5bf5d5301ee4d5a98abb20f25

SHA512
58513727d12cc915cd8445a078beb238aa3df28cc49b3733d487b0d3100f1c519b39f5b809ace618536e2d8951c1b3a58c0763a893bbd92a98c8e06575d92a4f

Download Submit
C:\Windows\System32\spool\drivers\x64\3\rms.ini

Filesize
40B

MD5
58ded3cb7ca70a6975c5419c62fdb51d

SHA1
274040c32983b7fbf01f65e41b375f255a78547d

SHA256
425dbedfc4a8a0672478b0b97e28568e5007e9813bba650fe727b252f43a0dfc

SHA512
c9f3b324adc89be54ccace827c0b0b759f8658a63a6c9689c2bc5f01388daa25b8ea80f8c3b624403a2cae784af5cf0e5a94919795263a31ab9769969fd08a42

Download Submit
C:\Windows\System32\spool\drivers\x64\3\rms.lng

Filesize
25KB

MD5
de5b0b40318ceabef85c04260141b039

SHA1
450df0a73f682425f631af1bd8b1960490498427

SHA256
7633ce5b3d2f8fea91207cdc1b2252b81606be1b5ffafedd56220cfd07f36c49

SHA512
2afdbce31039b77761173a3d8a87970a99b152a97048a8710b0d5b4876bd7602dbbf8b5315fe5f4da69d093871ee59c626198371ccdea6180d7e651b871ac91b

Download Submit
C:\Windows\System32\spool\drivers\x64\3\rmsui.dll

Filesize
24KB

MD5
27cdbafd9c2f5d76f919500bb140362f

SHA1
8085a45a8cb9c1667e75929ba29d788d205cb9a9

SHA256
fd635d2c45ef137d5ab9947d3090d5e8cb7501ade21c954922fd14adb1db084b

SHA512
d2ac0fdce101a618d0c77e69b81ceaa9d2ace81e38029e36c13a479e1e6cf3b46c0abea88dbc4e5a80da0d21a2dc12761dc0db847584f3f9907b27f106618e5d

Download Submit
C:\Windows\System32\spool\drivers\x64\3\stdnames_vpd.gpd

Filesize
14KB

MD5
7162d8977515a446d2c1e139da59ded5

SHA1
952f696c463b8410b1fa93a3b2b6dae416a81867

SHA256
2835a439c6ae22074bc3372491cb71e6c2b72d0c87ae3eee6065c6caadf1e5c8

SHA512
508f7ca3d4bc298534ab058f182755851051684f8d53306011f03875804c95e427428bd425dd13633eec79748bb64e78aad43e75b70cc5a3f0f4e6696dbb6d8e

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unidrv_rms.dll

Filesize
57KB

MD5
8253bfe93f1c206c67f3aa936036fe32

SHA1
5ea728f97d61d0fa9bb764681fcb262d6ba21a91

SHA256
5968ab52249bfbe6843d201ade696f8f45e37cb500c2cb3318e0a5735dff2653

SHA512
57ed9c3a4496eea2218a6d711c524d407cc4659591bd56ed161a11ddd770686947cb8d622cbee939c467c27520df7daff3978319d2993913aab40c6d27e8a6c3

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unidrv_rms.dll

Filesize
55KB

MD5
08967a64a5348b7be2a7764efed30ae7

SHA1
954ba35d410fc961ae319242fabacec854118e6e

SHA256
64dce45bf5870dd9040baae7fcd26b9ba50dad3e2f3e59b6e94840d4b3ca7ea3

SHA512
c1d73b6e230bef1415980a6f0a21dc6246210bb08d49d401f9fe28ca70d1f7116ec0494ae9dc72b0f51a126444ce9ef3d823a1da450556d38ed0445a0d0b4144

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unidrvui_rms.dll

Filesize
460KB

MD5
13456f018f0ae8f5fbde82ee48adc179

SHA1
83934a2e46831e6582be32875206565e04128d20

SHA256
f81f5b6e5e8f8404f82f5eaf648cb3102ceec63d71d7261c3243577213a868f4

SHA512
78489ab31527c37dfec96953e213f4ea0284335c7b241c93cd495474bbb3ec816bedcc6641157c022436e1406e56777f81954c93696b5e34ef88bdb7fd5ca272

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unidrvui_rms.dll

Filesize
441KB

MD5
13b7a1c9434c5a28de83588aae384634

SHA1
0d0f746e86f8e1748bcaef7f2667b32aa21cc6c5

SHA256
734d5a6f4be901329de732bda809f48b92f64009a77a0ca9cfe781ab5a0ca429

SHA512
d8f9c442fb8514c8fca729089f45ac33632f7aa032ccdf38b4764e9394924a646f56dc657e27e7018d78182947809bff08cd538c92621f39545806dd8b284bd4

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
439KB

MD5
7d194a84613154403e739ba10ee25a3f

SHA1
0a73cea57034a9cb070506e873c968809a3411f5

SHA256
ecc525064d8dd8ae49f3a8a6695e4ee4e5a5c8b95a7da9de9e95e1a58adf0e8f

SHA512
5dd6ff83096920eb998c956c7e4c2c775f0cc253e75368a8fd141c7a3d1972bf9fbfb3360d2785639d8af7c5e13d543b50ecf081aeb1a062ee1d14dce4ac4195

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
412KB

MD5
93cbc85a932525b9faa802bf65d3d21a

SHA1
156eacf964f9e723ad195b408b0dc4256fc7ed12

SHA256
99a987a59f7bb78852171681ff57a49123fdf397af8cc52bda22d5b17f788d85

SHA512
3326dc49cc9fd18449c03777f4d12e5920b355a8758cf1a08aeb7f27b5e62e4288ccf760a1e275a34b867fda5259a922c1780c43cecc8422643ce62b95e94840

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
53KB

MD5
efcca833dc45f21e18c4221c094f2085

SHA1
1a848fa6aaa554e4a47ed67f4dd05fa5a166ad77

SHA256
921decb9709c67d2ab18bb7e3bbe6c7d3378b8a84c9891c4d2b1cda7533bb76a

SHA512
b25dced6c37732d75f9af1d076d20f0c3b15e18359dcdd14262905cf9806ec2adde3794e9e829c7f560170b9663d5fe9f1f24223018b4614b3aea8dc9eada055

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
57KB

MD5
9a55e6e855d228b16c50b11d1758dc31

SHA1
68ed88edf02e9a9ad498b90ac20ebb2f86a99758

SHA256
ecf944d2cb11aacbbdd4b675ea8232d813db379287a2af2ea4b344ef449cc884

SHA512
b5af5a5df35df4f2a7e549edf95e3c55857cb6d620329b5d85e588264a87f746f089f47a17b797e4e7c6b40333ac44a69ae416e68d80a99f398ac8268a02362d

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
41KB

MD5
048584d0f2f27e63541ae12aeb1568b9

SHA1
8d399a9e4eecf149391fce3fcb830921e74f5940

SHA256
844b039eb8dbdc9bfad44c2992ed2d4c2e018746ebca3befff5b7c2416da38f3

SHA512
a7a4b39580f116d0920d8aba257a6e6abbd296dc91d7f6c2541a71d68c820fd81c64073190c6de9ca1a8377a99d4e78f5e4baa1381b871259d94aeade0be6794

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
30KB

MD5
216af2aec5f75e405a194e5cc64f469e

SHA1
de5e9e9f67965808e6df77bb851a6669b6358764

SHA256
5b45bb48b266d620b622db524fb2a1dc70e0e82639339ad7cfe02a3b6032df6c

SHA512
3f2b689784ab729053af2526626232c88b37e06466d7f634d81ce726bc21ec319ac97e7def487322d98efbffdddb2782ba1dcc490857f51004fc2195909d5350

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
53KB

MD5
e0d4ee613a2ceec986ee717b9725f845

SHA1
b6a659a52261c47616269c27b38dc5221cdd62e3

SHA256
074a14b29d09dc300a33c924f057fd4f9ceecbeddd7ab8563108e4f6727e0d8b

SHA512
27df0834311aa1b80c498cdb950e81cb2ede21160fdf34dc2644e94d24baca9bc82e5607018731e8baf6f1ea175f4034c24f75b35bd2208b50bfa866c256be14

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
8KB

MD5
64f66b22ceb4a7c34b510e144f94ecd2

SHA1
fbd26e51806df312d455900492ce52fef7b55803

SHA256
97ffc290dcf0548657f5ab203ebed1e05b3381d1c34053ffa44d0182a1e7ed29

SHA512
3e9f073a052da1793aeb27d60d4cc43e7ef777f61938e2f71d1cd6e5c3e6541b040a25572d2b05ef98be8e969275fdd926ae866bf27bf6258008a8db244db3ae

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
73KB

MD5
b99fc1777269bc68778ef11d2b573076

SHA1
0ca85038740e776ee6829b93ee3098fd159b730e

SHA256
390c8e89d90b1b5e8702a15d3114434716023e5902729507c7fbf5dc40f77d45

SHA512
ac6f1eaa1f9e6a3d4b9b7219fe563e9dd2212316815cdd6b0ccfffdbf0a875315311c742eaf848f7e69a0db8451b9f62f252bd90c4cf1d8cf484606d9a9ca06a

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
41KB

MD5
5f9cea0956e44b1a4c12dc9f17afffd7

SHA1
e7fb305bd94fe009a19d84eeee700a1c58e236c4

SHA256
635b20b59eef80152e563621bd72a3715a9a233e151cd9ad7695d6a61413fb99

SHA512
c262f5a98041a17bbe2c711cae6d1b2ca32486a72348b0229283596defd95689b52ed347a45051695e7fa5a6165719d7705b1965d2b7e87f078936be0fe87ef6

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
31KB

MD5
04a4bd0c2ff29ba14e78c6214f8df5e1

SHA1
e646b3d460a9476859b4c06e4042619c7619d0f3

SHA256
c5911142b4df7c9ac1c0243a831e9b94e86c1665283cfe7d0dea108a589f95d5

SHA512
b5b3a29f4f5f80e2db89b5843f8b5b8b76881a278db1dea41a34a983bc5caa6c7f53ac3bb5a03113c222db3a3cd3e0c15561c71847c9518ddf1c04fa8f53300d

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
36KB

MD5
c9b0c99a582a5fe90186fba19545bc9d

SHA1
f4aeefcc72c79f30266d75be25da88ac70a37bc7

SHA256
0a8e20398c1356e927da34a4a51e133373bd90ba175fac6c1002a87ee9767ee9

SHA512
3cf84c44504ba8edc76854bba64c4e7686fa6a2778fb5489401938de6022f13d53d8a56391b88ee659b4117c2d4fb40e00fce8c0d949dc7b6258b84632fbea25

Download Submit
C:\Windows\System32\spool\drivers\x64\3\unires_vpd.dll

Filesize
10KB

MD5
55b32af424de85d8e05ce643befb1cff

SHA1
aaf0f6e4e3d726368eff7dafff16bafc93cc68ac

SHA256
f8a990b866e2f9d6f138d8864f8a0ad28f19133f8b4c00c0ba20fc746cce6d68

SHA512
241e17e1b186e3a0d0ebe9ab7fd9e958e50384bab23abd690954de62ba607dc2cc75c9e130e8836abb8be7c7e29f32a80915edd0b6fe98f3f02e15d911bafbc9

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\rmsui2.exe

Filesize
214KB

MD5
d365140d7485cb00487cce3825b7344e

SHA1
7088c5e6832b797266c28a0734d9b3071e35b959

SHA256
83b5fd45c964c257b7508b6e354b2355121bea0a9b68d5c3b3ae443773cf7ce4

SHA512
645415fbc4aec9ab613f6e0c351a40c846fa7e45a7d089978a3c784ff4adbdf5c82d2f870f8422bac20332e6d187e57a84b1bd3b46d35713b2177e5f6a3d7ba7

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\unidrv_rms.dll

Filesize
473KB

MD5
22820e2e00c4295eceae881abe40342e

SHA1
295f11023c5f41ee61a5a384c11a38ea1abdc144

SHA256
bbd59d7361baa6acce7aa39ddb446eb8e777c0dbc83bc59fcf1e298826fa065a

SHA512
ba63efd96f3e51d927ac143bc0380a267840f88fd85f1188c21080a224fda69a275c730a9ddaec54041eacd6618ce11633cc61026420e9e8696878e8c488d3b9

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\unidrvui_rms.dll

Filesize
38KB

MD5
d2876a1f1b0b1c7683edd7f3f3b3d5e4

SHA1
b4bf6e99f4d54441e1848a52f556ddb34daa8649

SHA256
5b9575269c5df1ed2abc5ab1cc8829ad439d95cd437754c9c369a6ac1ac7b3ec

SHA512
f2f592aa8189f88f57ff141d065bd3df9d506be434c0fd4f4f9a440325918af3f2227128fb9dc05015abbc63dad9d949d6454c7199fc5de1b03b7ebb99ed5c07

Download Submit
C:\Windows\system32\spool\DRIVERS\x64\unires_vpd.dll

Filesize
519KB

MD5
db020477f9ef3c9b69aad752601c7986

SHA1
05b5a5c0b25d3ed9c2eda5e260116170cd817598

SHA256
5a4a627ecd4a178ae6fdd0dd4e755a0a5f4e7b3def904a88930f722b9d36c193

SHA512
96a12e16fe983362a43fd8a9a7d18b22191a5f5fd2d0cbdef725ec036bf665f3113d47a519dcc34f55623e4d3a7677996cdc9a7b0dbfb424208ddb7d988045a9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
7.1MB

MD5
3a58a6340cd74a7e175671ac194054b5

SHA1
afdcf7440a9990fd003ed4b5a52f75bffd715828

SHA256
888725a19c647e01728687ef7ec0072448ee3beee74c5f67ef78f546e7279dbb

SHA512
014e7108250af05cb6b25256575818af3d9f3df672760bd1cea1f169346a079fc6040c039b8b5beb60aeba8b007ac319db9b7cfa4fda773b251649bb5807d9a1

Download Submit
\??\Volume{05dfbecd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3a0bfec9-de6c-433f-9ca5-78eaacb0ab0d}_OnDiskSnapshotProp

Filesize
6KB

MD5
921a7b568e55231a8850ee523a23f555

SHA1
2245c178c7273044d6ace800ccc8e7bec4edd430

SHA256
5a8e21c09b06b99385468115e9267116addc48301702404dff7d26334406f3c9

SHA512
3d8f8315ecddc4ac22fdf11baaa7771e6396992271e63415ed31b7ccaba8937e7d0401b73d6c4c91cf9e34c8ce2669962f4dc8474afbbfc848629a7effaf6d94

Download Submit
memory/712-303-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/712-308-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/816-113-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/816-112-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/876-313-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/876-312-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1188-304-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1188-314-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1188-318-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1816-116-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1816-115-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/3060-335-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3060-375-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3060-361-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3060-305-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3060-315-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3060-354-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3060-350-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3060-346-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3080-302-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3080-118-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3080-131-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3612-364-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3612-368-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3612-378-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3612-374-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3612-372-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3612-357-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/4564-340-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4564-316-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4564-307-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4752-353-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4752-334-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4752-363-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4752-341-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4752-317-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4752-309-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4752-377-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4752-348-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download