Malware Analysis Report

2024-11-30 19:36

Sample ID 220208-cae7msbhcl
Target 5598febfbf00839c9f7047d9fe3205e3.exe
SHA256 02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a
Tags
upx rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a

Threat Level: Known bad

The file 5598febfbf00839c9f7047d9fe3205e3.exe was found to be: Known bad.

Malicious Activity Summary

upx rms rat trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

RMS

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-08 01:52

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-08 01:52

Reported

2022-02-08 01:56

Platform

win7-en-20211208

Max time kernel

171s

Max time network

202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe"

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1668 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1668 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1668 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 640 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 640 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 640 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 640 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 984 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 984 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 984 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 984 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe

"C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe"

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent -second

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" /tray /user

Network

Country Destination Domain Proto
US 8.8.8.8:53 mail-server.mephi.ru udp
RU 85.143.112.141:587 mail-server.mephi.ru tcp
RU 85.143.112.188:5655 tcp

Files

memory/1668-54-0x0000000075431000-0x0000000075433000-memory.dmp

memory/1668-55-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

memory/640-60-0x0000000000270000-0x0000000000271000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

memory/836-71-0x0000000000330000-0x0000000000331000-memory.dmp

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

memory/836-74-0x0000000002F70000-0x0000000003140000-memory.dmp

memory/836-73-0x0000000002F70000-0x0000000003370000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

memory/984-77-0x0000000001860000-0x0000000001861000-memory.dmp

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

memory/984-80-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\eventmsg.dll

MD5 4e84df6558c385bc781cddea34c9fba3
SHA1 6d63d87c19c11bdbfa484a5835ffffd7647296c8
SHA256 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d
SHA512 c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8decoder.dll

MD5 e247666cdea63da5a95aebc135908207
SHA1 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392
SHA256 b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33
SHA512 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8encoder.dll

MD5 d5c2a6ac30e76b7c9b55adf1fe5c1e4a
SHA1 3d841eb48d1a32b511611d4b9e6eed71e2c373ee
SHA256 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428
SHA512 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmmux.dll

MD5 49c51ace274d7db13caa533880869a4a
SHA1 b539ed2f1a15e2d4e5c933611d736e0c317b8313
SHA256 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b
SHA512 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisdecoder.dll

MD5 eda07083af5b6608cb5b7c305d787842
SHA1 d1703c23522d285a3ccdaf7ba2eb837d40608867
SHA256 c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d
SHA512 be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisencoder.dll

MD5 642dc7e57f0c962b9db4c8fb346bc5a7
SHA1 acee24383b846f7d12521228d69135e5704546f6
SHA256 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede
SHA512 fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\settings.dat

MD5 213e79b14523d2b27c0a0b4043dfe768
SHA1 00df82db9ad3b30abc576c40d513affc89a7ce85
SHA256 c6274a4f246145633fc86537e45f6567bf9ac8ba70977eb12090d806e93f00c4
SHA512 e1b339b91c7048b80f9585d2fe99d558525610480945b6483a52e95d7a7956f4731b6399c6b9dcb72bfd1d135b85dccc52fac9aaba8ba9ef0cb374b4106dd7ad

memory/984-89-0x0000000005840000-0x0000000005841000-memory.dmp

memory/984-88-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/984-90-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

memory/984-93-0x0000000005B30000-0x0000000005B31000-memory.dmp

memory/984-94-0x0000000005B80000-0x0000000005B81000-memory.dmp

memory/984-95-0x0000000005B90000-0x0000000005B91000-memory.dmp

memory/1700-96-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/984-97-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

memory/984-98-0x0000000005C30000-0x0000000005C31000-memory.dmp

memory/984-99-0x0000000005C40000-0x0000000005C41000-memory.dmp

memory/984-100-0x0000000005E10000-0x0000000005E11000-memory.dmp

memory/1700-101-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/1700-102-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\logo.png

MD5 8fd9d6cf6230410b54f912009c8236a0
SHA1 a614451e1a8d046681bc06d86e82e6d6e03edf25
SHA256 fbfc892bbecd045af4249903f0c00e86fef2cea9124183d5672488be671fe678
SHA512 9b26c86c5c5fbb9fe5742ae8d78e816eb614d19f51fd91c8a38f3a4cb24babcf47182f42340fb493739217e32db231757f7c8cfb785acc2919c7be364ff20fc8

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\branding.ini

MD5 31418147ef4b0577540bc410960d6ab0
SHA1 6d0e9506187588ae99dcc8e6ac39338477a03cd7
SHA256 4692f9cc6b32abab5dbe65cca3a2c2b751643ebea3124a26ca941f41a4a858aa
SHA512 6e92851f4368aadbae8df64b74cb8ace3317aee10edcc40181c5571c38880450e9035e95780b6481045438b126cdc9b4d82436c7d03a07de881b55755f3db3d6

memory/1700-105-0x0000000004E60000-0x0000000004E61000-memory.dmp

memory/984-106-0x0000000006B60000-0x0000000006B61000-memory.dmp

memory/984-108-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/984-107-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/984-109-0x0000000005A00000-0x0000000005A01000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-08 01:52

Reported

2022-02-08 01:56

Platform

win10v2004-en-20220113

Max time kernel

185s

Max time network

207s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe"

Signatures

RMS

trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4476 created 1924 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 3576 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 3576 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1252 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 1252 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 1252 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 4476 wrote to memory of 4224 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 4476 wrote to memory of 4224 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 4476 wrote to memory of 4224 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 4224 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 4224 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 4224 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe

"C:\Users\Admin\AppData\Local\Temp\5598febfbf00839c9f7047d9fe3205e3.exe"

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent -second

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" /tray /user

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 20.42.65.84:443 tcp
US 8.8.8.8:53 crl3.digicert.com udp
US 93.184.220.29:80 crl3.digicert.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 mail-server.mephi.ru udp
RU 85.143.112.141:587 mail-server.mephi.ru tcp
RU 85.143.112.188:5655 tcp
US 8.8.8.8:53 t2.symcb.com udp
DE 23.51.123.27:80 t2.symcb.com tcp
US 8.8.8.8:53 tl.symcd.com udp
DE 23.51.123.27:80 tl.symcd.com tcp
FR 2.16.119.157:443 tcp
FR 2.16.119.157:443 tcp

Files

memory/3576-130-0x00000000048C0000-0x00000000048C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

memory/1252-133-0x0000000001710000-0x0000000001711000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

memory/1924-140-0x000000000360A000-0x00000000037D0000-memory.dmp

memory/1924-141-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

memory/1924-142-0x0000000005150000-0x0000000005151000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

memory/4224-158-0x0000000004E20000-0x0000000004E21000-memory.dmp

memory/4160-159-0x000002C6171A0000-0x000002C6171A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\eventmsg.dll

MD5 4e84df6558c385bc781cddea34c9fba3
SHA1 6d63d87c19c11bdbfa484a5835ffffd7647296c8
SHA256 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d
SHA512 c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8decoder.dll

MD5 e247666cdea63da5a95aebc135908207
SHA1 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392
SHA256 b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33
SHA512 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8encoder.dll

MD5 d5c2a6ac30e76b7c9b55adf1fe5c1e4a
SHA1 3d841eb48d1a32b511611d4b9e6eed71e2c373ee
SHA256 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428
SHA512 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisencoder.dll

MD5 642dc7e57f0c962b9db4c8fb346bc5a7
SHA1 acee24383b846f7d12521228d69135e5704546f6
SHA256 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede
SHA512 fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisdecoder.dll

MD5 eda07083af5b6608cb5b7c305d787842
SHA1 d1703c23522d285a3ccdaf7ba2eb837d40608867
SHA256 c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d
SHA512 be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmmux.dll

MD5 49c51ace274d7db13caa533880869a4a
SHA1 b539ed2f1a15e2d4e5c933611d736e0c317b8313
SHA256 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b
SHA512 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\settings.dat

MD5 213e79b14523d2b27c0a0b4043dfe768
SHA1 00df82db9ad3b30abc576c40d513affc89a7ce85
SHA256 c6274a4f246145633fc86537e45f6567bf9ac8ba70977eb12090d806e93f00c4
SHA512 e1b339b91c7048b80f9585d2fe99d558525610480945b6483a52e95d7a7956f4731b6399c6b9dcb72bfd1d135b85dccc52fac9aaba8ba9ef0cb374b4106dd7ad

memory/4224-167-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/4224-168-0x0000000005150000-0x0000000005151000-memory.dmp

memory/4224-169-0x00000000050E0000-0x00000000050E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

memory/4224-171-0x0000000005170000-0x0000000005171000-memory.dmp

memory/4224-172-0x0000000005180000-0x0000000005181000-memory.dmp

memory/3692-173-0x00000000013D0000-0x00000000013D1000-memory.dmp

memory/4224-174-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/4224-175-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/4224-177-0x0000000006010000-0x0000000006011000-memory.dmp

memory/4224-176-0x0000000006160000-0x0000000006161000-memory.dmp

memory/3692-178-0x0000000004800000-0x0000000004801000-memory.dmp

memory/3692-179-0x0000000004860000-0x0000000004861000-memory.dmp

memory/3692-180-0x00000000048F0000-0x00000000048F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\logo.png

MD5 8fd9d6cf6230410b54f912009c8236a0
SHA1 a614451e1a8d046681bc06d86e82e6d6e03edf25
SHA256 fbfc892bbecd045af4249903f0c00e86fef2cea9124183d5672488be671fe678
SHA512 9b26c86c5c5fbb9fe5742ae8d78e816eb614d19f51fd91c8a38f3a4cb24babcf47182f42340fb493739217e32db231757f7c8cfb785acc2919c7be364ff20fc8

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\branding.ini

MD5 31418147ef4b0577540bc410960d6ab0
SHA1 6d0e9506187588ae99dcc8e6ac39338477a03cd7
SHA256 4692f9cc6b32abab5dbe65cca3a2c2b751643ebea3124a26ca941f41a4a858aa
SHA512 6e92851f4368aadbae8df64b74cb8ace3317aee10edcc40181c5571c38880450e9035e95780b6481045438b126cdc9b4d82436c7d03a07de881b55755f3db3d6

memory/4224-183-0x0000000006730000-0x0000000006731000-memory.dmp

memory/4224-184-0x0000000006740000-0x0000000006741000-memory.dmp

memory/4224-185-0x0000000006790000-0x0000000006791000-memory.dmp

memory/4224-186-0x00000000068C0000-0x00000000068C1000-memory.dmp