Malware Analysis Report

2024-11-30 19:53

Sample ID 220208-cqr65scbb6
Target 02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe
SHA256 02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a
Tags
rms rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a

Threat Level: Known bad

The file 02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe was found to be: Known bad.

Malicious Activity Summary

rms rat trojan upx

RMS

Suspicious use of NtCreateUserProcessOtherParentProcess

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-08 02:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-08 02:17

Reported

2022-02-08 02:28

Platform

win7-en-20211208

Max time kernel

614s

Max time network

620s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe"

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1932 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1932 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1932 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 968 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 968 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 968 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 968 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 1840 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1840 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1840 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1840 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe

"C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe"

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent -second

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" /tray /user

Network

Country Destination Domain Proto
US 8.8.8.8:53 mail-server.mephi.ru udp
RU 85.143.112.141:587 mail-server.mephi.ru tcp
RU 85.143.112.188:5655 tcp

Files

memory/1932-55-0x0000000076511000-0x0000000076513000-memory.dmp

memory/1932-56-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

memory/968-61-0x0000000000270000-0x0000000000271000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

memory/804-73-0x00000000002B0000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

memory/1840-77-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1840-79-0x0000000002F10000-0x00000000030A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\eventmsg.dll

MD5 4e84df6558c385bc781cddea34c9fba3
SHA1 6d63d87c19c11bdbfa484a5835ffffd7647296c8
SHA256 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d
SHA512 c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8decoder.dll

MD5 e247666cdea63da5a95aebc135908207
SHA1 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392
SHA256 b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33
SHA512 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8encoder.dll

MD5 d5c2a6ac30e76b7c9b55adf1fe5c1e4a
SHA1 3d841eb48d1a32b511611d4b9e6eed71e2c373ee
SHA256 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428
SHA512 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisencoder.dll

MD5 642dc7e57f0c962b9db4c8fb346bc5a7
SHA1 acee24383b846f7d12521228d69135e5704546f6
SHA256 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede
SHA512 fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisdecoder.dll

MD5 eda07083af5b6608cb5b7c305d787842
SHA1 d1703c23522d285a3ccdaf7ba2eb837d40608867
SHA256 c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d
SHA512 be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmmux.dll

MD5 49c51ace274d7db13caa533880869a4a
SHA1 b539ed2f1a15e2d4e5c933611d736e0c317b8313
SHA256 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b
SHA512 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\settings.dat

MD5 213e79b14523d2b27c0a0b4043dfe768
SHA1 00df82db9ad3b30abc576c40d513affc89a7ce85
SHA256 c6274a4f246145633fc86537e45f6567bf9ac8ba70977eb12090d806e93f00c4
SHA512 e1b339b91c7048b80f9585d2fe99d558525610480945b6483a52e95d7a7956f4731b6399c6b9dcb72bfd1d135b85dccc52fac9aaba8ba9ef0cb374b4106dd7ad

memory/1840-88-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

memory/1840-87-0x0000000005A80000-0x0000000005A81000-memory.dmp

memory/1840-89-0x0000000004B40000-0x0000000004B41000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

memory/1840-92-0x00000000056E0000-0x00000000059D0000-memory.dmp

memory/1840-93-0x00000000056E0000-0x00000000059D0000-memory.dmp

memory/1840-94-0x0000000005A10000-0x0000000005A11000-memory.dmp

memory/1840-95-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

memory/1840-96-0x0000000005B00000-0x0000000005B01000-memory.dmp

memory/1840-97-0x0000000005D50000-0x0000000005D51000-memory.dmp

memory/1488-98-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1488-99-0x00000000043E0000-0x00000000043E1000-memory.dmp

memory/1488-100-0x0000000004440000-0x0000000004441000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\logo.png

MD5 8fd9d6cf6230410b54f912009c8236a0
SHA1 a614451e1a8d046681bc06d86e82e6d6e03edf25
SHA256 fbfc892bbecd045af4249903f0c00e86fef2cea9124183d5672488be671fe678
SHA512 9b26c86c5c5fbb9fe5742ae8d78e816eb614d19f51fd91c8a38f3a4cb24babcf47182f42340fb493739217e32db231757f7c8cfb785acc2919c7be364ff20fc8

memory/1488-102-0x0000000004E40000-0x0000000004E41000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\branding.ini

MD5 31418147ef4b0577540bc410960d6ab0
SHA1 6d0e9506187588ae99dcc8e6ac39338477a03cd7
SHA256 4692f9cc6b32abab5dbe65cca3a2c2b751643ebea3124a26ca941f41a4a858aa
SHA512 6e92851f4368aadbae8df64b74cb8ace3317aee10edcc40181c5571c38880450e9035e95780b6481045438b126cdc9b4d82436c7d03a07de881b55755f3db3d6

memory/1840-104-0x0000000005E90000-0x0000000005FA0000-memory.dmp

memory/1840-106-0x0000000006A80000-0x0000000006A81000-memory.dmp

memory/1840-105-0x0000000006A70000-0x0000000006A71000-memory.dmp

memory/1840-107-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-08 02:17

Reported

2022-02-08 02:28

Platform

win10v2004-en-20220113

Max time kernel

641s

Max time network

659s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe"

Signatures

RMS

trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 448 created 1648 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_5CEF6F51E318C288850DB2D9275D6665 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1952 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 1952 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 484 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 484 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 484 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 448 wrote to memory of 3192 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 448 wrote to memory of 3192 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 448 wrote to memory of 3192 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe
PID 3192 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 3192 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe
PID 3192 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe

"C:\Users\Admin\AppData\Local\Temp\02dda0916789c0c3572cbbf0e119cbae7be42e10eca39be66bbaaf2468a62b7a.exe"

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe" -run_agent -second

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe" /tray /user

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 crl3.digicert.com udp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 mail-server.mephi.ru udp
RU 85.143.112.141:587 mail-server.mephi.ru tcp
RU 85.143.112.188:5655 tcp
US 8.8.8.8:53 t2.symcb.com udp
DE 23.51.123.27:80 t2.symcb.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 tl.symcd.com udp
DE 23.51.123.27:80 tl.symcd.com tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 93.184.220.29:80 crl3.digicert.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp

Files

memory/1952-130-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

memory/484-133-0x00000000011D0000-0x00000000011D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

memory/1648-140-0x0000000001B70000-0x0000000001B71000-memory.dmp

memory/1648-141-0x0000000005010000-0x0000000005011000-memory.dmp

memory/1648-142-0x0000000005060000-0x0000000005061000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rutserv.exe

MD5 a4ebaae03c33f847be0938570445aeaa
SHA1 8665c2c26924e3fe70c39a2b8513d7f076dba10b
SHA256 423c1eea0ed0ae5500ddee763b020478e6abc215361277564af52fed2f0562a8
SHA512 e701bf3dabd53e4219c043503eba93f7e3b67cfa4efbd3dcce3a7e8b8b5340e18fc3877341545d7beff879374dbc9a1aeec9039e8331b9f93665db963c88f711

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\libeay32.dll

MD5 f8fbc228c3139532971f66881262b940
SHA1 f1655c3b836c764fdc0bb07661c3ef70a9f51318
SHA256 e2fad24a7cdbf526d25be68a83a213c05efba1a499bffed5d5a4ade50513c604
SHA512 cc036991f454255010fd1618feba34e3a1e23a941fa2aa6f76046faaddf6531918cb3e982bfac3db2ea1c1a1182994d4acfc8c15d6b4d58fdd4f7ea989bbb673

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\ssleay32.dll

MD5 fe8cda03e1df3c3a6dc8375263e790c3
SHA1 67955da301ef89cd0429074e403769721e7594be
SHA256 1295a0fd2b2605dee4dada91335a4010a29504be7ab014ea14fe0092fd2160fd
SHA512 0353e5314d553ed617ed286d01e981d3a9790d9f5c5fc391f84cb2be06922fe1d68a5d353dee0daabb6408c72ee65aec0d855c7c3a6fc6ca80567babf769bd1f

memory/3192-146-0x00000000035FB000-0x00000000038A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\eventmsg.dll

MD5 4e84df6558c385bc781cddea34c9fba3
SHA1 6d63d87c19c11bdbfa484a5835ffffd7647296c8
SHA256 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d
SHA512 c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8encoder.dll

MD5 d5c2a6ac30e76b7c9b55adf1fe5c1e4a
SHA1 3d841eb48d1a32b511611d4b9e6eed71e2c373ee
SHA256 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428
SHA512 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\vp8decoder.dll

MD5 e247666cdea63da5a95aebc135908207
SHA1 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392
SHA256 b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33
SHA512 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\settings.dat

MD5 213e79b14523d2b27c0a0b4043dfe768
SHA1 00df82db9ad3b30abc576c40d513affc89a7ce85
SHA256 c6274a4f246145633fc86537e45f6567bf9ac8ba70977eb12090d806e93f00c4
SHA512 e1b339b91c7048b80f9585d2fe99d558525610480945b6483a52e95d7a7956f4731b6399c6b9dcb72bfd1d135b85dccc52fac9aaba8ba9ef0cb374b4106dd7ad

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisencoder.dll

MD5 642dc7e57f0c962b9db4c8fb346bc5a7
SHA1 acee24383b846f7d12521228d69135e5704546f6
SHA256 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede
SHA512 fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmvorbisdecoder.dll

MD5 eda07083af5b6608cb5b7c305d787842
SHA1 d1703c23522d285a3ccdaf7ba2eb837d40608867
SHA256 c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d
SHA512 be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\webmmux.dll

MD5 49c51ace274d7db13caa533880869a4a
SHA1 b539ed2f1a15e2d4e5c933611d736e0c317b8313
SHA256 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b
SHA512 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

memory/3192-155-0x00000000056E0000-0x00000000056E1000-memory.dmp

memory/3192-154-0x0000000005590000-0x0000000005591000-memory.dmp

memory/3192-156-0x0000000005450000-0x0000000005451000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\rfusclient.exe

MD5 0bde36e64c97bc8c2cb02aa05249fe28
SHA1 7939e68abddb44f1d91acb2694e3c56ef85371eb
SHA256 6db6819580c157fcc718bbb969163a6b5fdf69225f64a99ac89e269146de9f8d
SHA512 2d298be21519cc07ea4051a4aac07546d82194cd459643c83d2e60258f24859e635be2820cad3c59398521c1fd561a958ce3920b77b93d9ebe7b01f382b9ff7d

memory/3192-158-0x0000000005580000-0x0000000005581000-memory.dmp

memory/3192-159-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

memory/3192-161-0x0000000005550000-0x0000000005551000-memory.dmp

memory/3192-160-0x0000000005540000-0x0000000005541000-memory.dmp

memory/3192-162-0x0000000005560000-0x0000000005561000-memory.dmp

memory/3192-163-0x0000000005570000-0x0000000005571000-memory.dmp

memory/492-164-0x0000000002D5C000-0x0000000002F20000-memory.dmp

memory/492-165-0x0000000004950000-0x0000000004951000-memory.dmp

memory/492-166-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\logo.png

MD5 8fd9d6cf6230410b54f912009c8236a0
SHA1 a614451e1a8d046681bc06d86e82e6d6e03edf25
SHA256 fbfc892bbecd045af4249903f0c00e86fef2cea9124183d5672488be671fe678
SHA512 9b26c86c5c5fbb9fe5742ae8d78e816eb614d19f51fd91c8a38f3a4cb24babcf47182f42340fb493739217e32db231757f7c8cfb785acc2919c7be364ff20fc8

C:\Users\Admin\AppData\Roaming\RMS Agent\70020\2D1DBD89B2\branding.ini

MD5 31418147ef4b0577540bc410960d6ab0
SHA1 6d0e9506187588ae99dcc8e6ac39338477a03cd7
SHA256 4692f9cc6b32abab5dbe65cca3a2c2b751643ebea3124a26ca941f41a4a858aa
SHA512 6e92851f4368aadbae8df64b74cb8ace3317aee10edcc40181c5571c38880450e9035e95780b6481045438b126cdc9b4d82436c7d03a07de881b55755f3db3d6

memory/492-169-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

memory/3192-170-0x0000000005510000-0x0000000005511000-memory.dmp

memory/3192-172-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

memory/3192-171-0x0000000005520000-0x0000000005521000-memory.dmp

memory/3192-173-0x0000000005C50000-0x0000000005C51000-memory.dmp

memory/4424-180-0x000001D18E730000-0x000001D18E740000-memory.dmp