Analysis Overview
SHA256
02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a
Threat Level: Known bad
The file 02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe was found to be: Known bad.
Malicious Activity Summary
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
UPX packed file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-08 02:17
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-08 02:17
Reported
2022-02-08 02:28
Platform
win7-en-20211208
Max time kernel
614s
Max time network
620s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe
"C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe"
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent -second
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail-server.mephi.ru | udp |
| RU | 85.143.112.141:587 | mail-server.mephi.ru | tcp |
| RU | 85.143.112.188:5655 | tcp |
Files
memory/1932-55-0x0000000076511000-0x0000000076513000-memory.dmp
memory/1932-56-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
memory/968-61-0x0000000000270000-0x0000000000271000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
memory/804-73-0x00000000002B0000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
memory/1840-77-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1840-79-0x0000000002F10000-0x00000000030A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\eventmsg.dll
| MD5 | 4e84df6558c385bc781cddea34c9fba3 |
| SHA1 | 6d63d87c19c11bdbfa484a5835ffffd7647296c8 |
| SHA256 | 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d |
| SHA512 | c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8decoder.dll
| MD5 | e247666cdea63da5a95aebc135908207 |
| SHA1 | 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392 |
| SHA256 | b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33 |
| SHA512 | 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8encoder.dll
| MD5 | d5c2a6ac30e76b7c9b55adf1fe5c1e4a |
| SHA1 | 3d841eb48d1a32b511611d4b9e6eed71e2c373ee |
| SHA256 | 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428 |
| SHA512 | 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisencoder.dll
| MD5 | 642dc7e57f0c962b9db4c8fb346bc5a7 |
| SHA1 | acee24383b846f7d12521228d69135e5704546f6 |
| SHA256 | 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede |
| SHA512 | fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisdecoder.dll
| MD5 | eda07083af5b6608cb5b7c305d787842 |
| SHA1 | d1703c23522d285a3ccdaf7ba2eb837d40608867 |
| SHA256 | c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d |
| SHA512 | be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmmux.dll
| MD5 | 49c51ace274d7db13caa533880869a4a |
| SHA1 | b539ed2f1a15e2d4e5c933611d736e0c317b8313 |
| SHA256 | 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b |
| SHA512 | 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\settings.dat
| MD5 | 213e79b14523d2b27c0a0b4043dfe768 |
| SHA1 | 00df82db9ad3b30abc576c40d513affc89a7ce85 |
| SHA256 | c6274a4f246145633fc86537e45f6567bf9ac8ba70977eb12090d806e93f00c4 |
| SHA512 | e1b339b91c7048b80f9585d2fe99d558525610480945b6483a52e95d7a7956f4731b6399c6b9dcb72bfd1d135b85dccc52fac9aaba8ba9ef0cb374b4106dd7ad |
memory/1840-88-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/1840-87-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/1840-89-0x0000000004B40000-0x0000000004B41000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
memory/1840-92-0x00000000056E0000-0x00000000059D0000-memory.dmp
memory/1840-93-0x00000000056E0000-0x00000000059D0000-memory.dmp
memory/1840-94-0x0000000005A10000-0x0000000005A11000-memory.dmp
memory/1840-95-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/1840-96-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/1840-97-0x0000000005D50000-0x0000000005D51000-memory.dmp
memory/1488-98-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1488-99-0x00000000043E0000-0x00000000043E1000-memory.dmp
memory/1488-100-0x0000000004440000-0x0000000004441000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\logo.png
| MD5 | 8fd9d6cf6230410b54f912009c8236a0 |
| SHA1 | a614451e1a8d046681bc06d86e82e6d6e03edf25 |
| SHA256 | fbfc892bbecd045af4249903f0c00e86fef2cea9124183d5672488be671fe678 |
| SHA512 | 9b26c86c5c5fbb9fe5742ae8d78e816eb614d19f51fd91c8a38f3a4cb24babcf47182f42340fb493739217e32db231757f7c8cfb785acc2919c7be364ff20fc8 |
memory/1488-102-0x0000000004E40000-0x0000000004E41000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\branding.ini
| MD5 | 31418147ef4b0577540bc410960d6ab0 |
| SHA1 | 6d0e9506187588ae99dcc8e6ac39338477a03cd7 |
| SHA256 | 4692f9cc6b32abab5dbe65cca3a2c2b751643ebea3124a26ca941f41a4a858aa |
| SHA512 | 6e92851f4368aadbae8df64b74cb8ace3317aee10edcc40181c5571c38880450e9035e95780b6481045438b126cdc9b4d82436c7d03a07de881b55755f3db3d6 |
memory/1840-104-0x0000000005E90000-0x0000000005FA0000-memory.dmp
memory/1840-106-0x0000000006A80000-0x0000000006A81000-memory.dmp
memory/1840-105-0x0000000006A70000-0x0000000006A71000-memory.dmp
memory/1840-107-0x0000000006AC0000-0x0000000006AC1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-08 02:17
Reported
2022-02-08 02:28
Platform
win10v2004-en-20220113
Max time kernel
641s
Max time network
659s
Command Line
Signatures
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 448 created 1648 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe
"C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe"
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent -second
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" /tray /user
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 20.189.173.2:443 | tcp | |
| US | 8.8.8.8:53 | crl3.digicert.com | udp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | mail-server.mephi.ru | udp |
| RU | 85.143.112.141:587 | mail-server.mephi.ru | tcp |
| RU | 85.143.112.188:5655 | tcp | |
| US | 8.8.8.8:53 | t2.symcb.com | udp |
| DE | 23.51.123.27:80 | t2.symcb.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | tl.symcd.com | udp |
| DE | 23.51.123.27:80 | tl.symcd.com | tcp |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
Files
memory/1952-130-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
memory/484-133-0x00000000011D0000-0x00000000011D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
memory/1648-140-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/1648-141-0x0000000005010000-0x0000000005011000-memory.dmp
memory/1648-142-0x0000000005060000-0x0000000005061000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
| MD5 | a4ebaae03c33f847be0938570445aeaa |
| SHA1 | 8665c2c26924e3fe70c39a2b8513d7f076dba10b |
| SHA256 | 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8 |
| SHA512 | e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll
| MD5 | f8fbc228c3139532971f66881262b940 |
| SHA1 | f1655c3b836c764fdc0bb07661c3ef70a9f51318 |
| SHA256 | e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604 |
| SHA512 | cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll
| MD5 | fe8cda03e1df3c3a6dc8375263e790c3 |
| SHA1 | 67955da301ef89cd0429074e403769721e7594be |
| SHA256 | 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd |
| SHA512 | 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f |
memory/3192-146-0x00000000035FB000-0x00000000038A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\eventmsg.dll
| MD5 | 4e84df6558c385bc781cddea34c9fba3 |
| SHA1 | 6d63d87c19c11bdbfa484a5835ffffd7647296c8 |
| SHA256 | 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d |
| SHA512 | c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8encoder.dll
| MD5 | d5c2a6ac30e76b7c9b55adf1fe5c1e4a |
| SHA1 | 3d841eb48d1a32b511611d4b9e6eed71e2c373ee |
| SHA256 | 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428 |
| SHA512 | 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8decoder.dll
| MD5 | e247666cdea63da5a95aebc135908207 |
| SHA1 | 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392 |
| SHA256 | b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33 |
| SHA512 | 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\settings.dat
| MD5 | 213e79b14523d2b27c0a0b4043dfe768 |
| SHA1 | 00df82db9ad3b30abc576c40d513affc89a7ce85 |
| SHA256 | c6274a4f246145633fc86537e45f6567bf9ac8ba70977eb12090d806e93f00c4 |
| SHA512 | e1b339b91c7048b80f9585d2fe99d558525610480945b6483a52e95d7a7956f4731b6399c6b9dcb72bfd1d135b85dccc52fac9aaba8ba9ef0cb374b4106dd7ad |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisencoder.dll
| MD5 | 642dc7e57f0c962b9db4c8fb346bc5a7 |
| SHA1 | acee24383b846f7d12521228d69135e5704546f6 |
| SHA256 | 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede |
| SHA512 | fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisdecoder.dll
| MD5 | eda07083af5b6608cb5b7c305d787842 |
| SHA1 | d1703c23522d285a3ccdaf7ba2eb837d40608867 |
| SHA256 | c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d |
| SHA512 | be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmmux.dll
| MD5 | 49c51ace274d7db13caa533880869a4a |
| SHA1 | b539ed2f1a15e2d4e5c933611d736e0c317b8313 |
| SHA256 | 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b |
| SHA512 | 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6 |
memory/3192-155-0x00000000056E0000-0x00000000056E1000-memory.dmp
memory/3192-154-0x0000000005590000-0x0000000005591000-memory.dmp
memory/3192-156-0x0000000005450000-0x0000000005451000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
| MD5 | 0bde36e64c97bc8c2cb02aa05249fe28 |
| SHA1 | 7939e68abddb44f1d91acb2694e3c56ef85371eb |
| SHA256 | 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d |
| SHA512 | 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d |
memory/3192-158-0x0000000005580000-0x0000000005581000-memory.dmp
memory/3192-159-0x0000000005EA0000-0x0000000005EA1000-memory.dmp
memory/3192-161-0x0000000005550000-0x0000000005551000-memory.dmp
memory/3192-160-0x0000000005540000-0x0000000005541000-memory.dmp
memory/3192-162-0x0000000005560000-0x0000000005561000-memory.dmp
memory/3192-163-0x0000000005570000-0x0000000005571000-memory.dmp
memory/492-164-0x0000000002D5C000-0x0000000002F20000-memory.dmp
memory/492-165-0x0000000004950000-0x0000000004951000-memory.dmp
memory/492-166-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\logo.png
| MD5 | 8fd9d6cf6230410b54f912009c8236a0 |
| SHA1 | a614451e1a8d046681bc06d86e82e6d6e03edf25 |
| SHA256 | fbfc892bbecd045af4249903f0c00e86fef2cea9124183d5672488be671fe678 |
| SHA512 | 9b26c86c5c5fbb9fe5742ae8d78e816eb614d19f51fd91c8a38f3a4cb24babcf47182f42340fb493739217e32db231757f7c8cfb785acc2919c7be364ff20fc8 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\branding.ini
| MD5 | 31418147ef4b0577540bc410960d6ab0 |
| SHA1 | 6d0e9506187588ae99dcc8e6ac39338477a03cd7 |
| SHA256 | 4692f9cc6b32abab5dbe65cca3a2c2b751643ebea3124a26ca941f41a4a858aa |
| SHA512 | 6e92851f4368aadbae8df64b74cb8ace3317aee10edcc40181c5571c38880450e9035e95780b6481045438b126cdc9b4d82436c7d03a07de881b55755f3db3d6 |
memory/492-169-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/3192-170-0x0000000005510000-0x0000000005511000-memory.dmp
memory/3192-172-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
memory/3192-171-0x0000000005520000-0x0000000005521000-memory.dmp
memory/3192-173-0x0000000005C50000-0x0000000005C51000-memory.dmp
memory/4424-180-0x000001D18E730000-0x000001D18E740000-memory.dmp