Analysis Overview
SHA256
02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a
Threat Level: Known bad
The file 5598febfbf00839c9f7047d9fe3205e3.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
RMS
UPX packed file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-08 01:52
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-08 01:52
Reported
2022-02-08 01:56
Platform
win7-en-20211208
Max time kernel
171s
Max time network
202s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe
"C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe"
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent -second
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail-server.mephi.ru | udp |
| RU | 85.143.112.141:587 | mail-server.mephi.ru | tcp |
| RU | 85.143.112.188:5655 | tcp |
Files
memory/1668-54-0x0000000075431000-0x0000000075433000-memory.dmp
memory/1668-55-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
memory/640-60-0x0000000000270000-0x0000000000271000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
memory/836-71-0x0000000000330000-0x0000000000331000-memory.dmp
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
memory/836-74-0x0000000002F70000-0x0000000003140000-memory.dmp
memory/836-73-0x0000000002F70000-0x0000000003370000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
memory/984-77-0x0000000001860000-0x0000000001861000-memory.dmp
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
memory/984-80-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\eventmsg.dll
| MD5 | 4e84df6558c385bc781cddea34c9fba3 |
| SHA1 | 6d63d87c19c11bdbfa484a5835ffffd7647296c8 |
| SHA256 | 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d |
| SHA512 | c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8decoder.dll
| MD5 | e247666cdea63da5a95aebc135908207 |
| SHA1 | 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392 |
| SHA256 | b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33 |
| SHA512 | 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8encoder.dll
| MD5 | d5c2a6ac30e76b7c9b55adf1fe5c1e4a |
| SHA1 | 3d841eb48d1a32b511611d4b9e6eed71e2c373ee |
| SHA256 | 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428 |
| SHA512 | 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmmux.dll
| MD5 | 49c51ace274d7db13caa533880869a4a |
| SHA1 | b539ed2f1a15e2d4e5c933611d736e0c317b8313 |
| SHA256 | 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b |
| SHA512 | 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisdecoder.dll
| MD5 | eda07083af5b6608cb5b7c305d787842 |
| SHA1 | d1703c23522d285a3ccdaf7ba2eb837d40608867 |
| SHA256 | c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d |
| SHA512 | be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisencoder.dll
| MD5 | 642dc7e57f0c962b9db4c8fb346bc5a7 |
| SHA1 | acee24383b846f7d12521228d69135e5704546f6 |
| SHA256 | 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede |
| SHA512 | fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\settings.dat
| MD5 | 213e79b14523d2b27c0a0b4043dfe768 |
| SHA1 | 00df82db9ad3b30abc576c40d513affc89a7ce85 |
| SHA256 | c6274a4f246145633fc86537e45f6567bf9ac8ba70977eb12090d806e93f00c4 |
| SHA512 | e1b339b91c7048b80f9585d2fe99d558525610480945b6483a52e95d7a7956f4731b6399c6b9dcb72bfd1d135b85dccc52fac9aaba8ba9ef0cb374b4106dd7ad |
memory/984-89-0x0000000005840000-0x0000000005841000-memory.dmp
memory/984-88-0x0000000004C00000-0x0000000004C01000-memory.dmp
memory/984-90-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
memory/984-93-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/984-94-0x0000000005B80000-0x0000000005B81000-memory.dmp
memory/984-95-0x0000000005B90000-0x0000000005B91000-memory.dmp
memory/1700-96-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/984-97-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
memory/984-98-0x0000000005C30000-0x0000000005C31000-memory.dmp
memory/984-99-0x0000000005C40000-0x0000000005C41000-memory.dmp
memory/984-100-0x0000000005E10000-0x0000000005E11000-memory.dmp
memory/1700-101-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/1700-102-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\logo.png
| MD5 | 8fd9d6cf6230410b54f912009c8236a0 |
| SHA1 | a614451e1a8d046681bc06d86e82e6d6e03edf25 |
| SHA256 | fbfc892bbecd045af4249903f0c00e86fef2cea9124183d5672488be671fe678 |
| SHA512 | 9b26c86c5c5fbb9fe5742ae8d78e816eb614d19f51fd91c8a38f3a4cb24babcf47182f42340fb493739217e32db231757f7c8cfb785acc2919c7be364ff20fc8 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\branding.ini
| MD5 | 31418147ef4b0577540bc410960d6ab0 |
| SHA1 | 6d0e9506187588ae99dcc8e6ac39338477a03cd7 |
| SHA256 | 4692f9cc6b32abab5dbe65cca3a2c2b751643ebea3124a26ca941f41a4a858aa |
| SHA512 | 6e92851f4368aadbae8df64b74cb8ace3317aee10edcc40181c5571c38880450e9035e95780b6481045438b126cdc9b4d82436c7d03a07de881b55755f3db3d6 |
memory/1700-105-0x0000000004E60000-0x0000000004E61000-memory.dmp
memory/984-106-0x0000000006B60000-0x0000000006B61000-memory.dmp
memory/984-108-0x0000000004B10000-0x0000000004B11000-memory.dmp
memory/984-107-0x0000000004B00000-0x0000000004B01000-memory.dmp
memory/984-109-0x0000000005A00000-0x0000000005A01000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-08 01:52
Reported
2022-02-08 01:56
Platform
win10v2004-en-20220113
Max time kernel
185s
Max time network
207s
Command Line
Signatures
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4476 created 1924 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe
"C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe"
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent -second
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" /tray /user
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 20.42.65.84:443 | tcp | |
| US | 8.8.8.8:53 | crl3.digicert.com | udp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail-server.mephi.ru | udp |
| RU | 85.143.112.141:587 | mail-server.mephi.ru | tcp |
| RU | 85.143.112.188:5655 | tcp | |
| US | 8.8.8.8:53 | t2.symcb.com | udp |
| DE | 23.51.123.27:80 | t2.symcb.com | tcp |
| US | 8.8.8.8:53 | tl.symcd.com | udp |
| DE | 23.51.123.27:80 | tl.symcd.com | tcp |
| FR | 2.16.119.157:443 | tcp | |
| FR | 2.16.119.157:443 | tcp |
Files
memory/3576-130-0x00000000048C0000-0x00000000048C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
memory/1252-133-0x0000000001710000-0x0000000001711000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
memory/1924-140-0x000000000360A000-0x00000000037D0000-memory.dmp
memory/1924-141-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
memory/1924-142-0x0000000005150000-0x0000000005151000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
memory/4224-158-0x0000000004E20000-0x0000000004E21000-memory.dmp
memory/4160-159-0x000002C6171A0000-0x000002C6171A4000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\eventmsg.dll
| MD5 | 4e84df6558c385bc781cddea34c9fba3 |
| SHA1 | 6d63d87c19c11bdbfa484a5835ffffd7647296c8 |
| SHA256 | 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d |
| SHA512 | c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8decoder.dll
| MD5 | e247666cdea63da5a95aebc135908207 |
| SHA1 | 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392 |
| SHA256 | b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33 |
| SHA512 | 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8encoder.dll
| MD5 | d5c2a6ac30e76b7c9b55adf1fe5c1e4a |
| SHA1 | 3d841eb48d1a32b511611d4b9e6eed71e2c373ee |
| SHA256 | 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428 |
| SHA512 | 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisencoder.dll
| MD5 | 642dc7e57f0c962b9db4c8fb346bc5a7 |
| SHA1 | acee24383b846f7d12521228d69135e5704546f6 |
| SHA256 | 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede |
| SHA512 | fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisdecoder.dll
| MD5 | eda07083af5b6608cb5b7c305d787842 |
| SHA1 | d1703c23522d285a3ccdaf7ba2eb837d40608867 |
| SHA256 | c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d |
| SHA512 | be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmmux.dll
| MD5 | 49c51ace274d7db13caa533880869a4a |
| SHA1 | b539ed2f1a15e2d4e5c933611d736e0c317b8313 |
| SHA256 | 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b |
| SHA512 | 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\settings.dat
| MD5 | 213e79b14523d2b27c0a0b4043dfe768 |
| SHA1 | 00df82db9ad3b30abc576c40d513affc89a7ce85 |
| SHA256 | c6274a4f246145633fc86537e45f6567bf9ac8ba70977eb12090d806e93f00c4 |
| SHA512 | e1b339b91c7048b80f9585d2fe99d558525610480945b6483a52e95d7a7956f4731b6399c6b9dcb72bfd1d135b85dccc52fac9aaba8ba9ef0cb374b4106dd7ad |
memory/4224-167-0x00000000050B0000-0x00000000050B1000-memory.dmp
memory/4224-168-0x0000000005150000-0x0000000005151000-memory.dmp
memory/4224-169-0x00000000050E0000-0x00000000050E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
memory/4224-171-0x0000000005170000-0x0000000005171000-memory.dmp
memory/4224-172-0x0000000005180000-0x0000000005181000-memory.dmp
memory/3692-173-0x00000000013D0000-0x00000000013D1000-memory.dmp
memory/4224-174-0x00000000056A0000-0x00000000056A1000-memory.dmp
memory/4224-175-0x00000000056B0000-0x00000000056B1000-memory.dmp
memory/4224-177-0x0000000006010000-0x0000000006011000-memory.dmp
memory/4224-176-0x0000000006160000-0x0000000006161000-memory.dmp
memory/3692-178-0x0000000004800000-0x0000000004801000-memory.dmp
memory/3692-179-0x0000000004860000-0x0000000004861000-memory.dmp
memory/3692-180-0x00000000048F0000-0x00000000048F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\logo.png
| MD5 | 8fd9d6cf6230410b54f912009c8236a0 |
| SHA1 | a614451e1a8d046681bc06d86e82e6d6e03edf25 |
| SHA256 | fbfc892bbecd045af4249903f0c00e86fef2cea9124183d5672488be671fe678 |
| SHA512 | 9b26c86c5c5fbb9fe5742ae8d78e816eb614d19f51fd91c8a38f3a4cb24babcf47182f42340fb493739217e32db231757f7c8cfb785acc2919c7be364ff20fc8 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\branding.ini
| MD5 | 31418147ef4b0577540bc410960d6ab0 |
| SHA1 | 6d0e9506187588ae99dcc8e6ac39338477a03cd7 |
| SHA256 | 4692f9cc6b32abab5dbe65cca3a2c2b751643ebea3124a26ca941f41a4a858aa |
| SHA512 | 6e92851f4368aadbae8df64b74cb8ace3317aee10edcc40181c5571c38880450e9035e95780b6481045438b126cdc9b4d82436c7d03a07de881b55755f3db3d6 |
memory/4224-183-0x0000000006730000-0x0000000006731000-memory.dmp
memory/4224-184-0x0000000006740000-0x0000000006741000-memory.dmp
memory/4224-185-0x0000000006790000-0x0000000006791000-memory.dmp
memory/4224-186-0x00000000068C0000-0x00000000068C1000-memory.dmp