rms | 8a239323b3ab342bf8ddbe48cf5c85e03d685c607dcdbc7dc5d496de44b2c14b

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe
Size

7.3MB
MD5

05ee4fe7668234dd91047f55a4dfa83f
SHA1

a0161d4e01303f9a8e9e713d2442d0bb6adcf6d4
SHA256

8a239323b3ab342bf8ddbe48cf5c85e03d685c607dcdbc7dc5d496de44b2c14b
SHA512

63f55da3c3f57a427b848473777f095ff48238c4bead145ba70c2e2168bcd3ac0c0df75bf024219313d8991b42ff6fae597c7eafd5dddb2b026c5d7edb5c9ea0
SSDEEP

196608:fdca2q5U/hw0W0OBSSUpq+yLv5xeHsWz+UO+tM5FqX:fdcaFchwX0G+ORxgskFq8X

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
1056	rutserv.exe
2780	rutserv.exe
2176	rutserv.exe
1260	rutserv.exe
896	rfusclient.exe
2388	rfusclient.exe
2852	rfusclient.exe

Loads dropped DLL 3 IoCs

pid	Process
2540	MsiExec.exe
1260	rutserv.exe
1260	rutserv.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
44	2416	msiexec.exe
46	2416	msiexec.exe
48	2416	msiexec.exe
50	2416	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Microsoft.VC90.CRT.manifest	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f77101a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\f77101a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14E3.tmp	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\f771017.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f771017.msi	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\f77101c.msi	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\ARPPRODUCTICON.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
976	PING.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "12"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "88"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "148"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c5ecfb0214db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000050848d291eb80328ce9546a3e036072c1b79dac5081e86fc3ec09e44f9ae9fb8000000000e8000000002000020000000af37e9f491f795e3ac49da60b647ff58c867745a1e7b9b1fb3f62a309083678e900000001d26f3bfd561b8c89e579a1c9af107fd32b46089e62f529574183ab8bb1cbc58ddeaffbe1f4603d90836402180da4532122adc168efbd6c411a5801b87733f11f68f19e399765d8fb0cc3a15c26336c7fd400c50f6e5e4732b332ae5b850469c7f200dad07d901fa3db72530c8d90ad4c88a26d32c340ca0fbdf32bf221494365490300f72ffc4a2eff7643142a02ee5400000008359583aa4330a78a8b8bcc5ce64f9f19c8bdfb96f36aa05976d38f8e3dc353a228642df9d2fb186412db236c7f7ff59509f1e41e30fce1f6c019a87fc0e46f7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "973"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "1033"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "40"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433949933"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "1033"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "40"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "103"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "40"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "88"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000f791cb0cdaffb8ad2676cde6eaf00383e3f47a0ac2ede32df7b016d2ddc38bc2000000000e8000000002000020000000c0a6997390af26d500ecc874ebb8526f6052445670e1d01c55a6c100d222779920000000f703b947268f120bd0162fed6a5cb32cdabda78425db9a9c6edb489b1d26dede40000000356e67ade6022ad8dfc06b490014b66e12b0ce393c3b22fd87ec00838bd0ea5c6b7c57db8f56db9437ea49c6d098a30ac81554d0d03215e500a73962c03c7eb3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2697E591-7FF6-11EF-A5D8-F2DF7204BD4F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "88"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "148"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "12"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1033"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "103"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "103"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\ = "973"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\rmansys.ru\Total = "117"	IEXPLORE.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\PackageCode = "CA621BAB2625C4F47B0824566FC192D8"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductIcon = "C:\\Windows\\Installer\\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\PackageName = "rms.host5.5ru.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E629DA2CCD54F5C4880A36EA6E3A62A2\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Version = "100603060"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
976	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2416	msiexec.exe
2416	msiexec.exe
1056	rutserv.exe
1056	rutserv.exe
1056	rutserv.exe
1056	rutserv.exe
2780	rutserv.exe
2780	rutserv.exe
2176	rutserv.exe
2176	rutserv.exe
1260	rutserv.exe
1260	rutserv.exe
1260	rutserv.exe
1260	rutserv.exe
2388	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2852	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2580	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2416	msiexec.exe
Token: SeTakeOwnershipPrivilege	2416	msiexec.exe
Token: SeSecurityPrivilege	2416	msiexec.exe
Token: SeCreateTokenPrivilege	2580	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2580	msiexec.exe
Token: SeLockMemoryPrivilege	2580	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2580	msiexec.exe
Token: SeMachineAccountPrivilege	2580	msiexec.exe
Token: SeTcbPrivilege	2580	msiexec.exe
Token: SeSecurityPrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeLoadDriverPrivilege	2580	msiexec.exe
Token: SeSystemProfilePrivilege	2580	msiexec.exe
Token: SeSystemtimePrivilege	2580	msiexec.exe
Token: SeProfSingleProcessPrivilege	2580	msiexec.exe
Token: SeIncBasePriorityPrivilege	2580	msiexec.exe
Token: SeCreatePagefilePrivilege	2580	msiexec.exe
Token: SeCreatePermanentPrivilege	2580	msiexec.exe
Token: SeBackupPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeShutdownPrivilege	2580	msiexec.exe
Token: SeDebugPrivilege	2580	msiexec.exe
Token: SeAuditPrivilege	2580	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2580	msiexec.exe
Token: SeChangeNotifyPrivilege	2580	msiexec.exe
Token: SeRemoteShutdownPrivilege	2580	msiexec.exe
Token: SeUndockPrivilege	2580	msiexec.exe
Token: SeSyncAgentPrivilege	2580	msiexec.exe
Token: SeEnableDelegationPrivilege	2580	msiexec.exe
Token: SeManageVolumePrivilege	2580	msiexec.exe
Token: SeImpersonatePrivilege	2580	msiexec.exe
Token: SeCreateGlobalPrivilege	2580	msiexec.exe
Token: SeShutdownPrivilege	1692	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1692	msiexec.exe
Token: SeCreateTokenPrivilege	1692	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1692	msiexec.exe
Token: SeLockMemoryPrivilege	1692	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1692	msiexec.exe
Token: SeMachineAccountPrivilege	1692	msiexec.exe
Token: SeTcbPrivilege	1692	msiexec.exe
Token: SeSecurityPrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeLoadDriverPrivilege	1692	msiexec.exe
Token: SeSystemProfilePrivilege	1692	msiexec.exe
Token: SeSystemtimePrivilege	1692	msiexec.exe
Token: SeProfSingleProcessPrivilege	1692	msiexec.exe
Token: SeIncBasePriorityPrivilege	1692	msiexec.exe
Token: SeCreatePagefilePrivilege	1692	msiexec.exe
Token: SeCreatePermanentPrivilege	1692	msiexec.exe
Token: SeBackupPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeShutdownPrivilege	1692	msiexec.exe
Token: SeDebugPrivilege	1692	msiexec.exe
Token: SeAuditPrivilege	1692	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1692	msiexec.exe
Token: SeChangeNotifyPrivilege	1692	msiexec.exe
Token: SeRemoteShutdownPrivilege	1692	msiexec.exe
Token: SeUndockPrivilege	1692	msiexec.exe
Token: SeSyncAgentPrivilege	1692	msiexec.exe
Token: SeEnableDelegationPrivilege	1692	msiexec.exe
Token: SeManageVolumePrivilege	1692	msiexec.exe
Token: SeImpersonatePrivilege	1692	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2564	iexplore.exe
2564	iexplore.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2564	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	29
PID 1780 wrote to memory of 2564	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	29
PID 1780 wrote to memory of 2564	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	29
PID 1780 wrote to memory of 2564	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	29
PID 1780 wrote to memory of 2652	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2652	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2652	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2652	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2652	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2652	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2652	1780	05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2608	2652	cmd.exe	32
PID 2652 wrote to memory of 2608	2652	cmd.exe	32
PID 2652 wrote to memory of 2608	2652	cmd.exe	32
PID 2652 wrote to memory of 2608	2652	cmd.exe	32
PID 2652 wrote to memory of 2580	2652	cmd.exe	33
PID 2652 wrote to memory of 2580	2652	cmd.exe	33
PID 2652 wrote to memory of 2580	2652	cmd.exe	33
PID 2652 wrote to memory of 2580	2652	cmd.exe	33
PID 2652 wrote to memory of 2580	2652	cmd.exe	33
PID 2652 wrote to memory of 2580	2652	cmd.exe	33
PID 2652 wrote to memory of 2580	2652	cmd.exe	33
PID 2564 wrote to memory of 2624	2564	iexplore.exe	34
PID 2564 wrote to memory of 2624	2564	iexplore.exe	34
PID 2564 wrote to memory of 2624	2564	iexplore.exe	34
PID 2564 wrote to memory of 2624	2564	iexplore.exe	34
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 976	2652	cmd.exe	37
PID 2652 wrote to memory of 976	2652	cmd.exe	37
PID 2652 wrote to memory of 976	2652	cmd.exe	37
PID 2652 wrote to memory of 976	2652	cmd.exe	37
PID 2652 wrote to memory of 2344	2652	cmd.exe	39
PID 2652 wrote to memory of 2344	2652	cmd.exe	39
PID 2652 wrote to memory of 2344	2652	cmd.exe	39
PID 2652 wrote to memory of 2344	2652	cmd.exe	39
PID 2652 wrote to memory of 2344	2652	cmd.exe	39
PID 2652 wrote to memory of 2344	2652	cmd.exe	39
PID 2652 wrote to memory of 2344	2652	cmd.exe	39
PID 2416 wrote to memory of 2540	2416	msiexec.exe	40
PID 2416 wrote to memory of 2540	2416	msiexec.exe	40
PID 2416 wrote to memory of 2540	2416	msiexec.exe	40
PID 2416 wrote to memory of 2540	2416	msiexec.exe	40
PID 2416 wrote to memory of 2540	2416	msiexec.exe	40
PID 2416 wrote to memory of 2540	2416	msiexec.exe	40
PID 2416 wrote to memory of 2540	2416	msiexec.exe	40
PID 2416 wrote to memory of 1056	2416	msiexec.exe	41
PID 2416 wrote to memory of 1056	2416	msiexec.exe	41
PID 2416 wrote to memory of 1056	2416	msiexec.exe	41
PID 2416 wrote to memory of 1056	2416	msiexec.exe	41
PID 2416 wrote to memory of 2780	2416	msiexec.exe	42
PID 2416 wrote to memory of 2780	2416	msiexec.exe	42
PID 2416 wrote to memory of 2780	2416	msiexec.exe	42
PID 2416 wrote to memory of 2780	2416	msiexec.exe	42
PID 2416 wrote to memory of 2176	2416	msiexec.exe	43
PID 2416 wrote to memory of 2176	2416	msiexec.exe	43
PID 2416 wrote to memory of 2176	2416	msiexec.exe	43
PID 2416 wrote to memory of 2176	2416	msiexec.exe	43
PID 1260 wrote to memory of 896	1260	rutserv.exe	46

C:\Users\Admin\AppData\Local\Temp\05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05ee4fe7668234dd91047f55a4dfa83f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://rmansys.ru/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {11A90858-40BB-4858-A2DA-CA6495B5E907} /qn REBOOT=ReallySuppress
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:976
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /I "rms.host5.5ru.msi" /qn
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCA585D83C03152700ADDCDB292703DF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1056
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2176

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:2852
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77101b.rbs

Filesize
21KB

MD5
b0c9c4888677ebf46fb79de41bea2ac4

SHA1
a017443e3e5f725ee89803c21118a612174ecba9

SHA256
09bc28eb58ee94f09190299aa302c2c7a4a045e7d7f5734f1567f83e11de6ed4

SHA512
0ee497c1de3a98622f33b48218b78d4ebe0530569f7fafb81184bac3304299024166f23d9151d7e3aece617983597df62f990bed4e051be4e553b6f43ae52b3b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
90dea654be9ff2a477a874ede3b8919e

SHA1
53e2e671335c55e16dde8913e09509b4ecd9b39e

SHA256
3b6d4e43df68eadef9def8e7e8b4472114459385853cea859f2185a5ecfab24e

SHA512
297dbf1fb868e56fe5175e70d6c88c8f5932ddb838f415ea97835a994ca2958657ed58eb920abc33417aa7386a532a6412449b08989290d4749efe2270f62bd9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
941d1b63a94549cbe5224a4e722dd4d5

SHA1
bab121f4c3528af35456bac20fbd296112624260

SHA256
ce1cd24a782932e1c28c030da741a21729a3c5930d8358079b0f91747dd0d832

SHA512
b6bf11fa34ceab70e3f3ce48a8a6dcbe5cfa859db4a03ca18cc6309773a32aff9db111d2d2ab5bb1ce974322eaf71ea81cfaa3911d6b8085a82823a0aa1d30ee

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
957KB

MD5
897266223a905afdc1225ff4e621c868

SHA1
6a5130154430284997dc76af8b145ab90b562110

SHA256
be991f825a2e6939f776ebc6d80d512a33cbbe60de2fcc32820c64f1d6b13c07

SHA512
1ad1386e71e036e66f3b6fdece5a376e7309ceb0f6eb73c3a8203b0825c45aa1f74e1f722b508cf3f73456e7d808853d37bcef79bfe8476fc16a4e6af2e9202b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
3756211f2aa8ffe4b37afd42b6e3ecd3

SHA1
8fc79a50f97d0cfe3c877b13931353cade99e2f6

SHA256
e283bc3d094bc5ec94d922f3b5559c4ad8ca25c4a24e2ca31e74511ba31e29c1

SHA512
e83cd1d0fa8cc28d3154fb223ac938a5fd1b37a600f3a88a4ae7924a56b1a3684d210e273005fe436b03e07e8af76a19626c022bd6fc2eeefd1be8bd0d251edb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll

Filesize
240KB

MD5
50bad879226bcbbf02d5cf2dcbcfbf61

SHA1
be262f40212bd5a227d19fdbbd4580c200c31e4b

SHA256
49295f414c5405a4f180b319cfed471871471776e4853baaf117a5185ec0d90d

SHA512
476df817a9c9e23423080afcac899b83fc8f532e4fe62bea2feeb988cba538f1f710e2fb61d81d6c283c428d772922c7a6ecb1684ac68ca8f267415105a60116

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
2721aa44e21659358e8a25c0f13ce02b

SHA1
91589226e6fd81675e013c5b7aad06e5f7903e61

SHA256
74ca24097bc69145af11dc6a0580665d4766aa78c7633f4084d16d7b4fecc5fb

SHA512
fb1f06e18b369e5df0dedf20bf5bcaae4f6d93bf8a4789db2d05b7c895fdeff2dc086089cca67fa7d352563b491606a547c37959db623b071e90a1c876d6cc2a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll

Filesize
1.6MB

MD5
7916c52814b561215c01795bb71bb884

SHA1
0b3341642559efc8233561f81ec80a3983b9fc2d

SHA256
7d3c4c52684afff597dc4c132c464b651cb94aad039458b674d69cf76c240e64

SHA512
fc0a1d717c636639be6835d93bdde8019799842e11a055bedeb468f57cfaabf5582a65e1770841486550e06b1b9ba020ff5fad14b7838fe70afefb37933f1a8f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll

Filesize
556KB

MD5
99c5cb416cb1f25f24a83623ed6a6a09

SHA1
0dbf63dea76be72390c0397cb047a83914e0f7c8

SHA256
9f47416ca37a864a31d3dc997677f8739433f294e83d0621c48eb9093c2e4515

SHA512
8bd1b14a690aa15c07ead90edacbcc4e8e3f68e0bfd6191d42519b9542786df35a66ed37e7af9cf9ff14d55a5622c29a88fee2a5bde889740a3ce6160d5256ac

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll

Filesize
638KB

MD5
bfeac23ced1f4ac8254b5cd1a2bf4dda

SHA1
fd450e3bc758d984f68f0ae5963809d7d80645b6

SHA256
420d298de132941eacec6718039a5f42eaec498399c482e2e0ff4dad76a09608

SHA512
1f4afc2eb72f51b9e600fbbf0d4408728e29b0c6ca45801605801ead0a287873ebbfaaae10b027f1a287c82232d1e7a3a7e7435b7f6a39223c3f7b23d96ed272

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
4.8MB

MD5
1d6f0b1752b19af83f1acffac80d02a9

SHA1
e9c4bce6a1999e399a0fe69f6377c816d0241fdc

SHA256
a8f5fa708123f8471bcd790725a021a3e3edfec3371cdffcb7788b9eb20c1d22

SHA512
e04bbb7761236dd177a97bd68e191f6678a583bb5a6626eca7ec918356fb6cc37f9b41169bdce3060c6b0898dabe14b933df7771863762fcb91239ec45ed4731

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
409KB

MD5
1525887bc6978c0b54fec544877319e6

SHA1
7820fcd66e6fbf717d78a2a4df5b0367923dc431

SHA256
a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

SHA512
56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
691KB

MD5
c8fd8c4bc131d59606b08920b2fda91c

SHA1
df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

SHA256
6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

SHA512
2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d619e226362fee15f2809274d2b8b40a

SHA1
00509b5ebfee028a35a8da1d321049c0443cc1fd

SHA256
9e47788f9cf0f6c5bc836f6f7bfb6c26b5964086eff22d12a91a8fdcd23f3698

SHA512
303418842dae5abdf96d2b0c68ff034c927111143cbd630970e6ff4132ff48ab36a22736715a2f39aa9091dbf704e91b602bc68ab20192f6636e74830d57cd90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43279b5420c953832069697930f1e7ec

SHA1
01f8b0e95b00d65cc9c16ce12f68da3b419edd7e

SHA256
a80e417561c6fe93dea6254f6b78a080564e540f8efc41cc0c1e205cb533aba3

SHA512
74b31432e28ebe24771ee43de72858c05208260ecd4f13b0d4a2f330ae10d303e89eda2febb8001c529c3550df36216d332c91148b6b4b65d88dbde89994b585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eac16972f48b4f34ef78959202b7aaf

SHA1
d854153090abcec1efe1789ee627f5a15f14f8fd

SHA256
c2874c68e4174a57557fae1332c9ade7d057b5fe22e95362afc8fb1ecbec0f62

SHA512
f0e87dcc63445e4c41db62b85f4ba3df3540b96feb7d9d0111698b66ba0705da0a9ffb3de76c3f04b499d4376a4c0a2d29e1c419947278f67d7791d677db319e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
420afc4bbad57a59d9fa2260368833a9

SHA1
0520fc5febfdf576e0f52bc782da9f99132eb48c

SHA256
b33b9e001fc9bb58d864f323fe5052e59a2d30fd9202b4c10baecf0ba53e9d35

SHA512
c7584d8160cb68e5d01dd2c919d164ac2634bc40c77b9fe67ca0734c327606ea83ca8d83e856f5b23b8aafe67bbb0fd572765877557e8a6d42b6eefb65c38316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc0f6b66b15c22cd8be03e4a9a2fc69f

SHA1
55c046db7b53c14664ecf04781399576d4b9a482

SHA256
6faa84d219a5fcb09e6b2e7715226cc106f86fa9b836295c1523a646b317eb0a

SHA512
765f1e437cb45c72838828330ba0c4da260fbabe7fa0dfa4037040249bd7491bc0bd514436fb45932999a947e9fda89eff2cb7788863d665d123c6897e0aa0fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3876d1aa0176ba1d06e63cac450ac55a

SHA1
68f20a5d65dc60e72c454995f29adb7895d10d2d

SHA256
1511babab321b30810cbfd803c8d446f114f838ebd8c33acf18a67dd5f1a931d

SHA512
490163d2f0a706611fdc365c5d1d31bb1fda27104da849a4586d0fd676f124928e131172d7b0cf02f490d1fddbdf9891f7f0f82f3f0ce26ee337a872b23cda70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
974f711f803dad66236288e1614c5532

SHA1
d0bc0f52562c4ed82c1484d83c31e1c1da853151

SHA256
55ddc5d544265b2c74765b69363bdbe8b30f85dc08ce3ed6cac84da3ae11103f

SHA512
c934a024f85dd2623657939c6a25d35ce76f21d1253997d43b5eef51c4fdf63fb7e9f62980d7542ab948ed058553a6c1e417e3e4d610f196ca1961882dd0937b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feef82cd86af3fdb414b566a8ae6c2d8

SHA1
facc11e467c25367c82ee57b80558a6fb6544dcb

SHA256
c7c0346c774bb43aee563d9de1fcb9442e7d371edf25a91ba174301d66929e3f

SHA512
1885b2333ec4aaf413cc08e40e4842beed889971c5f0fd33ff7ff52839c9d3d98c30f8ff48b7654756bdb4aeacbfb994036d6264bb4ab051561512e5f3593de0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
668169ac06fc6c21bc27a5c1223de05e

SHA1
113eb17c12ec539d9d6f026ce52dfd85e1783953

SHA256
afc983bbac330a21c394c4b214dd82231d53ba0abad9cc9da6ef6a5a77be7d6e

SHA512
b19f614d51f57ea9e237f461aa0b95d21c7c3dc1ae3159b0412302363e2ac5536f1f4bc1c9b9b231908acfa81f503922128b04fad319659c06af8d4fbf0b457b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3ae523987ff51b52bfd97fe94124948

SHA1
6f0ea81aab4d44e6edcd6d0632fa8aebaa225dd4

SHA256
2de8d6c7341323a2101b6e1982c30df459b09bb3bf4f950cabbadf786f348ba7

SHA512
f356dcf2e1f698cdf30a667c4a503ea23b7aa902ad69aee702bebf366a87500044ed3fd7c11586a77b0f2f45b02f5e685fc5ed4ad3160110334877f6502ae05d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8198a45e4c36d5bc9e25cb9576b21e4

SHA1
5ec97585c921906b32ade2f5b20bb7534b55650b

SHA256
04b0a3a83efe5016c23be67e557876d45f8bfe60f00e5d99c79281b4ba564ad3

SHA512
8376398fd0d8dbec6523f978013c79e9b06725f70917c7c5277c13d375513e949c42371b002b420f34408dce5d9c8c134795055b6435e5faea8ae61c9aef5ad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32eb3361d07b04aa48750dfc2a04132d

SHA1
1b77b697f1527390a99581d5e391f92d3cf8c166

SHA256
b9af196f48bb7cedc0f68902a9a961487348ce0e97eedba6413e7dc9bd75022e

SHA512
426243c48d0ece56812795c9ad5113f3c0905e4875f010aa2f8f64ac2da36b73433bb6372ccafba53d2257982b5cf9f26f392663ae9f4468722b7ffe5112dbce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6c74a44c919113dd4ecf386bc53e984

SHA1
5cf1941f9cf7fc8aff93fdde511eb56c55ac758a

SHA256
f1ca07035076c8f50c1814fbaba7aa186ca2ec7a043c03fd39597327a892374f

SHA512
7e48c885942fc393fce1145c2124f80593d919a7eac93051ae1a241515721a2fdd69679785fc3ee3d13dd8399df1e86caa89ccf8572697d8ed62e7b166a130c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
619a7ad4170f5609e602cc9cac047919

SHA1
1cd88394106802bfa4a4959caf2d4c47e5ec9f8c

SHA256
7c4bf0f69a73e27c276cff5fcd15672a0bc99e99a68f96107b433621cf62592b

SHA512
d921fe67e9016cbe6fabbe54f4590ee39a480d65c34f179a1693531e30bdc4486b0d98853fda4f8e842f5d56d91944e7d2cd31abfcef2be2b844893567e0bba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82d25c28fd12815b8dafe402dba2fa18

SHA1
22f1c4388485d07f585b22de02d777774e05ad5f

SHA256
079a21125f55fc9f2af2ff40dd27812f0cc193da29b22831679d5e8f242ab234

SHA512
21d5d815ad3f2d06ac490f2a6e518e664aa8f109c5e91a548eb1d7c65a2dea212a304cb2d7e6f865ce1eb65ce57f3b884031bd9b13c46b8177b37cee5ff9efbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4df8763ce1fb697a072b20b8e44b6ecb

SHA1
ebc6c5a4364b5b300f998a12ee4615a2b757f225

SHA256
967aa1b6ab8f23c394a2274345ae085793ceab27369fe3fc69734fa3d9a510b9

SHA512
22eede857b51186081314153ad7fa08ee50cbc850d5443a16eef6f7b6c6ba8528b34e3d5641f4bbe988372abc760aeb154dbca26472b78c439f194c5aff2cba2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86a1f735243fa045c5a2d9cfe209bb2d

SHA1
1507529c4e7d23ab83c3f9aebe84890a3acff02d

SHA256
a1d1ff10f2fcbf32dc00e4abb9f1f8925095681df6e4ec12093ab675a4f2d996

SHA512
818a9cb6fa30571655d54af04e4a5d90bf1a5f69e2f4047297186609120b2f3129bcbe9c5678c195f1385196fe4689125d9d673ed9d1ac39db79ad76927f65b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ec58da9a86a2d4ad45f6e2b02734c03

SHA1
f7306c54d40d5b08dd499a5eee6e49d7135ef721

SHA256
d7a9d3d33329d74f7cf89c24a5a5fc22e1c889719d91b04cf282097a57ea13b9

SHA512
5b286da7e85ae713dd63d0a03cee8c7653229c1e7bedd99c869a433f91e0f9b20e65c0e5c2fbe42eef6a2e91ad46c74287750aa2fd1614ae3ce8badd44d4d287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4f28d48b78b0f5e180bb274fd2d664e

SHA1
7fc7e39f55656a455ba09ba886eb9152fc16e0c4

SHA256
12ff3f488f65d3b2b28894c605ceb6037a887d0ab4687906ee0224313167f25a

SHA512
06f4110a5d7882c84480a76ccb6c59705cbd38913db6d2ec163aea311631cf442402842301a4db40ae59f6879514e2ab353a880d27007f7975ba91293c20c994

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaac329e5bb17986e46ff8be0b4dd422

SHA1
e24533ead701731d40d4961df1d466c95e43e236

SHA256
abec23d8620d9c475b6dd19d44698e7182e3045fc9e2706361057412bf9992ee

SHA512
e58cf0d3c0bb75b21897b033285f43a8148731df73b17dfeaa59f7f71e92f841e6bf4cab7628c15f68de41a4ee4416f0be3a3ddc68b3843e9d30f7e5ae8d5009

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba0ca2c3e9c968031e05be4b1042fdc6

SHA1
f028a23af0540c0f66dfc45abf9e58a5a0b960d5

SHA256
874776aeff7522ed5d4673b487c2ef2d9a2772debc8937add6961299535e76ed

SHA512
866a14ebdfb084b29a44e8a45b072af382a58caade6f906f60bfb4cfc0eeea59f7da3643710a53d7afcd6dbaed782457cc0701b0b9a04c0c03382157d50d8643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a79cec31d33eeaacbc8672ee2dbaa5cb

SHA1
7c57194668f6cbae75426ab45b747f55666b4420

SHA256
4e40c3199544ab04a53226b95fb743fce02f68159315b9c429b7a83b442bf34c

SHA512
703be4b5eb0799cbbfbf9cca1fca6575b8c7c94cb7049a8a16acf6131477f60f900409c14ab05e16631995878b6dffbda8542914cbc4966efb881574ff97c7d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2e70c0943cd46d4bfb6c1b19be716da3

SHA1
c39cba73e06b13ca1d1bf43cdef23c95b9ea82fd

SHA256
914ab3e168b9e7d95d0dfb8ecb13e3f620d1fcf4a134800224f02fba31ba5a86

SHA512
9abc92abd814756e127f5cbc40f5523419644b283f3dcb042dd84e6ba19aceb89d826ba406587da4c0e589e4693e85d18f8b2f5c31befc6eaa95e6ba3df18f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZSXQXLYF\rmansys[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZSXQXLYF\rmansys[1].xml

Filesize
175B

MD5
35128bd59ae21044ea1ab3e24552c272

SHA1
54ef4e8e479aa2f0f464a50ef421975cf8a6bb1a

SHA256
d70fa3a65968a238060fa954bf944f9daa63b964918ca6c23fffd1dfa76e4ae4

SHA512
701ef3c8e962ceaf674fd5b3a1a4eeed5c18cd6343b49bc95552433ba727f5a6452edb28b7cfb8c59a2291a3be5308164b5793dd9c5f176f8d2021eac66ae3ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZSXQXLYF\rmansys[1].xml

Filesize
431B

MD5
b34c22fdefd3bd7bfa1b687ed03a3f42

SHA1
3e698c84b0febb5e884a3b6638b950d68ed61aa5

SHA256
6688e765712a1583134f7123d03bac0d7af8db55f915637b17de25b23d6b72a8

SHA512
a70043795b1c2fcdb82a59d1ad1d5956a6cb0d8bf18ea68a994f67a7337bb8b132a662d8866df3d429ecfbc9eb0e5de219b327bfd503218b445029622e446cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZSXQXLYF\rmansys[1].xml

Filesize
2KB

MD5
53b6f30f51e6b0ff990185e006f9430a

SHA1
02b936f0e29a2ba1d8efba531f4c93fea1302e5e

SHA256
856372ebd66daa807fed627ce97961a76efa32e52d4f7f436fc117b85509a876

SHA512
34c3a253d3fd01a416f3b370f615861a78b8945d6f0037b07af13f06b7babe6dda73d3ac464168bc7dba6c9c8adf981f3dcf24388b08b773d17120c62e2168df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZSXQXLYF\rmansys[1].xml

Filesize
2KB

MD5
02de6e0add9dc9e7229e3a451d5085f1

SHA1
e72ce1c16e97ab342b7fdc6b484b3390c4aa5138

SHA256
7b42b0ce0a1c13c51dd153dc34e3ab8fca15498428f7d60787667fd7442852fa

SHA512
00b33783264d0143f78745772cefe3db0d1a0b6fa98b65a6ed1f287fdfa529f6c057014a02675ffd0680b291217dd0a2f2dfe73e754768ce0d768728cca1a9cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bl977i7\imagestore.dat

Filesize
347KB

MD5
3af2539ba44bf5fe91e84058ae004ed5

SHA1
ed817b8e9d0d80e6936ef0ec977fe2b179fc0fe2

SHA256
f7ce9d55f79ac2da26031b9470bf0b7c203934df168b20f03427a42bd104041d

SHA512
1e2f625d2b3215f8375116332513a8fc737e34cb1aaec431dd897e9c620c1d0be29f599a43cc0200b08346a38645664fe42f976e9677cea50916b931cbe8d8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\favicon[1].ico

Filesize
347KB

MD5
a71391a49a52013f1439de91ae173d6f

SHA1
d73ec1044cfdecfc7ed3c9524ba6b8991f109f75

SHA256
b425bb2e4ef3e22cfab086b36a110fb6569e8a0a0a0a8c987671acda423dbdff

SHA512
746dd25d165e3914837b1a85259aab596d62e9380b069867af9ac564e9be7c1a2a2f1766f09022d4a1bb52c7e4012d8708ab253d6d8c5aefc4735b62fa1922ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
223B

MD5
897bdd1d3ae40620f0f83c9c801ec7ce

SHA1
d0658ee6cb4c06af60b305269381ef16b4ff1808

SHA256
29c7fc8f815bd53c89a579d35ac3c5f1716a81178b89c817eefaca6f46c51c2b

SHA512
55949dd728620a4f2d26e883172dedb42cc3ae31ada952fb2838fbb13f16b0143d196a859fe565f754275889f3b1757d5748c958f1cb5b11c1851bb5f76289f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host5.5ru.msi

Filesize
7.9MB

MD5
d1ec1fe34651c053a5a1881dda880216

SHA1
ba2ce62f21bebda5235c28743b52e9aadacb8ca7

SHA256
ea51589ec7a67155aee4a213149dde1fcc34de199af31af018468c7625bc7c25

SHA512
6d5b25ca0019d98320a608dd2bfa47b402386ed492fb0f2ec87ab91b90062ef02b9060ef0d34e05d8c8572b84c8066fd840947b728af08609249313f60673ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1065.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar10D5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSI13D9.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
memory/896-789-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/896-818-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/896-811-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/896-807-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/1056-320-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-816-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-787-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-812-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-809-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-805-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-1368-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-1375-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-1382-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1260-1389-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/2176-352-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/2388-788-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/2780-323-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/2852-786-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download