lumma | 7246aefd7681d59bc981afbece29efbe31ce1aabac8c3ee6d74a4e52afcda468

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RMS.7.1.7.0_configured_client.msi
Size

21.5MB
MD5

282e49971af85d26fcc453c1604dbca2
SHA1

e2fa2c353891cd1782d0237a65d86bd4ad9e811c
SHA256

7246aefd7681d59bc981afbece29efbe31ce1aabac8c3ee6d74a4e52afcda468
SHA512

486be3d725bf9828521fd883033eb1ee9c2b5cc3faee0bf8cab829deccff70c6510f92088876193ba7d3249390a4e0c166cf07850917a8fe2c1e5845a5e83705
SSDEEP

393216:p4HnfylxIDItISQ3f5W4YyGIi8224pPwpd0YDW0J9pd88lVpA:p4HaYkITCyGH822UoDW0e

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Signatures

Detect Lumma Stealer payload V2 1 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022eb1-175.dat	family_lumma_V2

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	4592	msiexec.exe
6	4592	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	rutserv.exe

Drops file in Program Files directory 57 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\rppd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2024-11.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Logs\rms_log_2024-11.html	rutserv.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\printer.ico	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\e590d73.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\e590d75.msi	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e590d73.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe

Executes dropped EXE 10 IoCs

pid	Process
968	rfusclient.exe
5016	rutserv.exe
4624	rutserv.exe
1220	rutserv.exe
1812	rutserv.exe
436	rutserv.exe
3260	rfusclient.exe
4944	rfusclient.exe
1988	rfusclient.exe
4688	rutserv.exe

Loads dropped DLL 11 IoCs

pid	Process
4664	MsiExec.exe
5016	rutserv.exe
5016	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1220	rutserv.exe
1220	rutserv.exe
436	rutserv.exe
436	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4592	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet"	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-9216 = "This PC"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\ProductIcon = "C:\\Windows\\Installer\\{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\D2BA10AC219E0CF4DA25D216B00E1DFC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\PackageName = "RMS.7.1.7.0_configured_client.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D2BA10AC219E0CF4DA25D216B00E1DFC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D2BA10AC219E0CF4DA25D216B00E1DFC\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\Version = "117506055"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\AuthorizedLUAApp = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\PackageCode = "DBA1AAEAE60B87C4A91018B4785B4BA5"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\Language = "1049"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D2BA10AC219E0CF4DA25D216B00E1DFC\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
968	rfusclient.exe
968	rfusclient.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1220	rutserv.exe
1220	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1220	rutserv.exe
1220	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1220	rutserv.exe
1220	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
3260	rfusclient.exe
3260	rfusclient.exe
4944	rfusclient.exe
4944	rfusclient.exe
3260	rfusclient.exe
3260	rfusclient.exe
1988	rfusclient.exe
1988	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4592	msiexec.exe
Token: SeSecurityPrivilege	1432	msiexec.exe
Token: SeCreateTokenPrivilege	4592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4592	msiexec.exe
Token: SeLockMemoryPrivilege	4592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4592	msiexec.exe
Token: SeMachineAccountPrivilege	4592	msiexec.exe
Token: SeTcbPrivilege	4592	msiexec.exe
Token: SeSecurityPrivilege	4592	msiexec.exe
Token: SeTakeOwnershipPrivilege	4592	msiexec.exe
Token: SeLoadDriverPrivilege	4592	msiexec.exe
Token: SeSystemProfilePrivilege	4592	msiexec.exe
Token: SeSystemtimePrivilege	4592	msiexec.exe
Token: SeProfSingleProcessPrivilege	4592	msiexec.exe
Token: SeIncBasePriorityPrivilege	4592	msiexec.exe
Token: SeCreatePagefilePrivilege	4592	msiexec.exe
Token: SeCreatePermanentPrivilege	4592	msiexec.exe
Token: SeBackupPrivilege	4592	msiexec.exe
Token: SeRestorePrivilege	4592	msiexec.exe
Token: SeShutdownPrivilege	4592	msiexec.exe
Token: SeDebugPrivilege	4592	msiexec.exe
Token: SeAuditPrivilege	4592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4592	msiexec.exe
Token: SeChangeNotifyPrivilege	4592	msiexec.exe
Token: SeRemoteShutdownPrivilege	4592	msiexec.exe
Token: SeUndockPrivilege	4592	msiexec.exe
Token: SeSyncAgentPrivilege	4592	msiexec.exe
Token: SeEnableDelegationPrivilege	4592	msiexec.exe
Token: SeManageVolumePrivilege	4592	msiexec.exe
Token: SeImpersonatePrivilege	4592	msiexec.exe
Token: SeCreateGlobalPrivilege	4592	msiexec.exe
Token: SeCreateTokenPrivilege	4592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4592	msiexec.exe
Token: SeLockMemoryPrivilege	4592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4592	msiexec.exe
Token: SeMachineAccountPrivilege	4592	msiexec.exe
Token: SeTcbPrivilege	4592	msiexec.exe
Token: SeSecurityPrivilege	4592	msiexec.exe
Token: SeTakeOwnershipPrivilege	4592	msiexec.exe
Token: SeLoadDriverPrivilege	4592	msiexec.exe
Token: SeSystemProfilePrivilege	4592	msiexec.exe
Token: SeSystemtimePrivilege	4592	msiexec.exe
Token: SeProfSingleProcessPrivilege	4592	msiexec.exe
Token: SeIncBasePriorityPrivilege	4592	msiexec.exe
Token: SeCreatePagefilePrivilege	4592	msiexec.exe
Token: SeCreatePermanentPrivilege	4592	msiexec.exe
Token: SeBackupPrivilege	4592	msiexec.exe
Token: SeRestorePrivilege	4592	msiexec.exe
Token: SeShutdownPrivilege	4592	msiexec.exe
Token: SeDebugPrivilege	4592	msiexec.exe
Token: SeAuditPrivilege	4592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4592	msiexec.exe
Token: SeChangeNotifyPrivilege	4592	msiexec.exe
Token: SeRemoteShutdownPrivilege	4592	msiexec.exe
Token: SeUndockPrivilege	4592	msiexec.exe
Token: SeSyncAgentPrivilege	4592	msiexec.exe
Token: SeEnableDelegationPrivilege	4592	msiexec.exe
Token: SeManageVolumePrivilege	4592	msiexec.exe
Token: SeImpersonatePrivilege	4592	msiexec.exe
Token: SeCreateGlobalPrivilege	4592	msiexec.exe
Token: SeCreateTokenPrivilege	4592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4592	msiexec.exe
Token: SeLockMemoryPrivilege	4592	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4592	msiexec.exe
4944	rfusclient.exe
4944	rfusclient.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4944	rfusclient.exe
4944	rfusclient.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
5016	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
4624	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1220	rutserv.exe
1220	rutserv.exe
1220	rutserv.exe
1220	rutserv.exe
1812	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe
436	rutserv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 4664	1432	msiexec.exe	84
PID 1432 wrote to memory of 4664	1432	msiexec.exe	84
PID 1432 wrote to memory of 4664	1432	msiexec.exe	84
PID 1432 wrote to memory of 3112	1432	msiexec.exe	97
PID 1432 wrote to memory of 3112	1432	msiexec.exe	97
PID 1432 wrote to memory of 968	1432	msiexec.exe	99
PID 1432 wrote to memory of 968	1432	msiexec.exe	99
PID 1432 wrote to memory of 968	1432	msiexec.exe	99
PID 1432 wrote to memory of 5016	1432	msiexec.exe	100
PID 1432 wrote to memory of 5016	1432	msiexec.exe	100
PID 1432 wrote to memory of 5016	1432	msiexec.exe	100
PID 1432 wrote to memory of 4624	1432	msiexec.exe	101
PID 1432 wrote to memory of 4624	1432	msiexec.exe	101
PID 1432 wrote to memory of 4624	1432	msiexec.exe	101
PID 1432 wrote to memory of 1220	1432	msiexec.exe	102
PID 1432 wrote to memory of 1220	1432	msiexec.exe	102
PID 1432 wrote to memory of 1220	1432	msiexec.exe	102
PID 1432 wrote to memory of 1812	1432	msiexec.exe	103
PID 1432 wrote to memory of 1812	1432	msiexec.exe	103
PID 1432 wrote to memory of 1812	1432	msiexec.exe	103
PID 436 wrote to memory of 3260	436	rutserv.exe	105
PID 436 wrote to memory of 3260	436	rutserv.exe	105
PID 436 wrote to memory of 3260	436	rutserv.exe	105
PID 436 wrote to memory of 4944	436	rutserv.exe	106
PID 436 wrote to memory of 4944	436	rutserv.exe	106
PID 436 wrote to memory of 4944	436	rutserv.exe	106
PID 3260 wrote to memory of 1988	3260	rfusclient.exe	107
PID 3260 wrote to memory of 1988	3260	rfusclient.exe	107
PID 3260 wrote to memory of 1988	3260	rfusclient.exe	107
PID 436 wrote to memory of 4688	436	rutserv.exe	108
PID 436 wrote to memory of 4688	436	rutserv.exe	108
PID 436 wrote to memory of 4688	436	rutserv.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RMS.7.1.7.0_configured_client.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 68840EA1CFD50EBB1083A35464444CDE C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4664
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3112
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\Admin\AppData\Local\Temp\RMS.7.1.7.0_configured_client.msi"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:968
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5016
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4624
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1220
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /CONFIG /SETSECURITY
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3860

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1988
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4944
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll

Filesize
51KB

MD5
4e84df6558c385bc781cddea34c9fba3

SHA1
6d63d87c19c11bdbfa484a5835ffffd7647296c8

SHA256
0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d

SHA512
c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\libeay32.dll

Filesize
1.3MB

MD5
5222eaf78313758b0520be16e3f8392e

SHA1
9c7cc8fb340618fef38422cf0c75c4c9bfb216e2

SHA256
4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5

SHA512
459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
10.2MB

MD5
06208aa91f0f77d6c9b989f65803382a

SHA1
75e37439e6d1537fadf38c758df3a9fb232313cf

SHA256
d576d6fcfdae0ac29d5b040847929b2f8a83436f6b2160a88e8c5ebc119654c5

SHA512
a31e9c4c860873155690b90fb8f6d9ca30b084aa32ac94bb7e8ad90ca8d6d89349dc4924eafb2b689ef9ebaf5faa264d9f6c062818d844d17baae7793ba2ec1e

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
13.2MB

MD5
ece07269ca0117d3d8b5985143ce0c12

SHA1
27944e65b0387cacc2839d0ca7bac743a78bc6db

SHA256
22c8e0b88d08f44103b1e41e47f3ebe323d00ec8d737f7f34e724bad6922d9bf

SHA512
58b95bbdc4ec9e72c9d6d6ec919a021be1c9c4ddda933e2ac9c884351dde5a304d2f7a262256176b89542d3b1893457d3c70c994d58578ead785e41853acf18b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
19.8MB

MD5
41dc282cbf89b0737ae6dd2de5a71015

SHA1
4aac4bafaf43be690089549584770f9e88630b45

SHA256
b8049a022430c34f0b8b3c9f357a9afa4fd6cb940b7353a610d1f53fb5bf471c

SHA512
ee8f3af6c633385eb1c7022189604c16948fd9fb0da1eb017d529872df2f075b26bdc158cf2ef4772237f338d87d9f6dc1944381cd65c5a636add0e22a599d6d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\ssleay32.dll

Filesize
337KB

MD5
90a4b7fc6807693e68dd32b68614d989

SHA1
785484ef531ca90f323d5b017fefcff05e68093a

SHA256
4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6

SHA512
97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
379KB

MD5
e247666cdea63da5a95aebc135908207

SHA1
4642f6c3973c41b7d1c9a73111a26c2d7ac9c392

SHA256
b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33

SHA512
06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
1.6MB

MD5
d5c2a6ac30e76b7c9b55adf1fe5c1e4a

SHA1
3d841eb48d1a32b511611d4b9e6eed71e2c373ee

SHA256
11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428

SHA512
3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
259KB

MD5
49c51ace274d7db13caa533880869a4a

SHA1
b539ed2f1a15e2d4e5c933611d736e0c317b8313

SHA256
1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b

SHA512
13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
364KB

MD5
eda07083af5b6608cb5b7c305d787842

SHA1
d1703c23522d285a3ccdaf7ba2eb837d40608867

SHA256
c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d

SHA512
be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
859KB

MD5
642dc7e57f0c962b9db4c8fb346bc5a7

SHA1
acee24383b846f7d12521228d69135e5704546f6

SHA256
63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede

SHA512
fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

Download Submit
C:\ProgramData\Remote Manipulator System\msi\70170_{CA01AB2D-E912-4FC0-AD52-2D610BE0D1CF}\RMS.7.1.7.0_configured_client.msi

Filesize
21.5MB

MD5
282e49971af85d26fcc453c1604dbca2

SHA1
e2fa2c353891cd1782d0237a65d86bd4ad9e811c

SHA256
7246aefd7681d59bc981afbece29efbe31ce1aabac8c3ee6d74a4e52afcda468

SHA512
486be3d725bf9828521fd883033eb1ee9c2b5cc3faee0bf8cab829deccff70c6510f92088876193ba7d3249390a4e0c166cf07850917a8fe2c1e5845a5e83705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
6ffcc08afff66cb043499364b8d087b3

SHA1
697582ea5a9bbd0fa7379c56cf6819942444ad7e

SHA256
a9345354e0efb6635b68e28cc14d15fa9b29d9d9a60734780ed92ae53e428c18

SHA512
155c87a07e7732977bb540b8517c1fbb6ccde96ea0c9cda4a1531353e038a0d6d05e4d2dd6187a468a7811bee640eb47a64eb38d45053a7d09cd2c60ac0d3398

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F

Filesize
471B

MD5
e5a7c1c1bddfe96adba491bdb4dc2dc4

SHA1
dae98cf0a90833f51f9bd527cf396327018501f2

SHA256
b154d4cd22bc400c4159504295dc38a1cb8d3511ab3203ccc9e82c06be70da63

SHA512
db83b0f7159d47a0a884369de2c45dd729882061b3b7cc07c97b5b848f9b648684fb3ad3281b75dab334632b40b520164ea41791b64781d61907f674981ec065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
d562cb0ac5895344eadb999a9ea9d51e

SHA1
1abd9802e0576b42f5037ca8e30ab0dbe1716bee

SHA256
fde04d67dedab5a9a2f2792821b9b1e2aa54d16cc3e0fec4c5bec9ecfa51827e

SHA512
7417bfa8cfe3357b9b1d12a91996b11731cd38026e41ec92c99d5c809ee5d93be847ffe5b6c45b7db7f43cea6c84688ccd2d8c582eff2d0a60c3f2d1df3a3412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F

Filesize
408B

MD5
1725cd0ba9325b5cc60f0e2c8c0e9c77

SHA1
80b0d6bb240a98490c04d18dd3ad74f76da3d81e

SHA256
2ee1f157d950f0b0836c0963b2773868445c567364eff89c5969d78080441035

SHA512
fdd0331b749a2830f84785617f01144f2a67c2597a0f186a5ddbc8673a739004c569ef5fd89c85d8257b0a909eebc7daaed5bde960a91ea35c94ebfea82a5012

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3A0.tmp

Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
fd309f0efe4a9b971e95ec0e28b4c8eb

SHA1
ed8082c618c5e711fcb09f8bcb0be89be2335320

SHA256
14a222127b0f0f96e1eaeed581732a8e9fbb34d30f9e832e47f0618a227850e7

SHA512
c9b6da0b7f9f8939933b9d7cd8de995872a0fe64d79c269697b065e86e76dd0be569a3217267de1baf24a419710f572b8e7e9ae08140cefbff76c87300450157

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b585e5cf-3174-4937-8160-48aa4b908f73}_OnDiskSnapshotProp

Filesize
6KB

MD5
907dd3dd2b6af26daf6cbbe0963da9f2

SHA1
f91cf64b084c0705b087be98adbbbc4f59513840

SHA256
c5b4284a7eae42f20690ab9e44c2272f564683dd3cb15d776095390bb98dd097

SHA512
b4703b00d29aa36c89c7a42801b632b257c64c7d099018c92bb778f6aa79d7dba96b9cc234982d2634f1eed2e3b68efd446de1d55e81e4e641d3a78e727655e8

Download Submit
memory/436-156-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/436-174-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/436-169-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/436-151-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/436-161-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/968-97-0x0000000000400000-0x0000000000EEB000-memory.dmp

Filesize
10.9MB

Download
memory/1220-139-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/1812-168-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/1812-173-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/1812-148-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/1812-155-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/1812-160-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/1988-150-0x0000000000400000-0x0000000000EEB000-memory.dmp

Filesize
10.9MB

Download
memory/3260-152-0x0000000000400000-0x0000000000EEB000-memory.dmp

Filesize
10.9MB

Download
memory/4624-114-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download
memory/4944-163-0x0000000000400000-0x0000000000EEB000-memory.dmp

Filesize
10.9MB

Download
memory/4944-171-0x0000000000400000-0x0000000000EEB000-memory.dmp

Filesize
10.9MB

Download
memory/4944-158-0x0000000000400000-0x0000000000EEB000-memory.dmp

Filesize
10.9MB

Download
memory/4944-153-0x0000000000400000-0x0000000000EEB000-memory.dmp

Filesize
10.9MB

Download
memory/4944-177-0x0000000000400000-0x0000000000EEB000-memory.dmp

Filesize
10.9MB

Download
memory/5016-110-0x0000000000400000-0x0000000001897000-memory.dmp

Filesize
20.6MB

Download