Analysis Overview
SHA256
cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c
Threat Level: Known bad
The file cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c was found to be: Known bad.
Malicious Activity Summary
UAC bypass
RMS
Executes dropped EXE
UPX packed file
Modifies Windows Firewall
Loads dropped DLL
Allows Network login with blank passwords
Checks whether UAC is enabled
Drops file in Program Files directory
Drops file in Windows directory
Checks processor information in registry
System policy modification
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Runs .reg file with regedit
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-13 10:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-13 10:24
Reported
2022-02-13 10:30
Platform
win7-en-20211208
Max time kernel
155s
Max time network
173s
Command Line
Signatures
RMS
UAC bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Services\run.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rfusclient.exe | N/A |
Modifies Windows Firewall
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Allows Network login with blank passwords
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\limitblankpassworduse = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\sys.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
Drops file in Program Files directory
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\RMS\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe
"C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe"
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Program Files\RMS\regedit.reg"
C:\Program Files\RMS\rutserg.exe
"C:\Program Files\RMS\rutserg.exe" /silentinstall
C:\Program Files\RMS\rutserg.exe
"C:\Program Files\RMS\rutserg.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Program Files\RMS\regedit.reg"
C:\Program Files\RMS\rutserg.exe
"C:\Program Files\RMS\rutserg.exe" /start
C:\Program Files\RMS\rutserg.exe
"C:\Program Files\RMS\rutserg.exe"
C:\Program Files\RMS\rfusclient.exe
"C:\Program Files\RMS\rfusclient.exe"
C:\Program Files\RMS\rfusclient.exe
"C:\Program Files\RMS\rfusclient.exe" /tray
C:\Program Files\RMS\sys.exe
"C:\Program Files\RMS\sys.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\Services\run.bat
C:\Users\Admin\AppData\Roaming\Services\run.exe
C:\Users\Admin\AppData\Roaming\Services\run.exe
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Program Files\RMS\rfusclient.exe
"C:\Program Files\RMS\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1940-55-0x00000000760F1000-0x00000000760F3000-memory.dmp
memory/1940-56-0x0000000000400000-0x0000000000DE7000-memory.dmp
C:\Program Files\RMS\regedit.reg
| MD5 | b7ea6b6f29b74c67920adabf4ce9c348 |
| SHA1 | 680ff1970192887af59ed9f532e8342234e60d17 |
| SHA256 | 055ca8a6601891472d14ab3817c2f96a7edb46d6c6548b0247621221c24322ca |
| SHA512 | fe5f00cd79a7b1419bf39d3272800094ccd5327a5d9bd5be46b803866ceb0cda38a9fb55e28b39dd89937e287c22057525b67dac85a1150c651f7690c9e10b14 |
\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rfusclient.exe
| MD5 | baedb3d6631842569353333ca074a5e0 |
| SHA1 | d7471c16defbb607dc36017f256571feeebc7f2e |
| SHA256 | 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6 |
| SHA512 | c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66 |
C:\Program Files\RMS\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\Program Files\RMS\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
\Program Files\RMS\rfusclient.exe
| MD5 | baedb3d6631842569353333ca074a5e0 |
| SHA1 | d7471c16defbb607dc36017f256571feeebc7f2e |
| SHA256 | 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6 |
| SHA512 | c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66 |
C:\Program Files\RMS\rfusclient.exe
| MD5 | baedb3d6631842569353333ca074a5e0 |
| SHA1 | d7471c16defbb607dc36017f256571feeebc7f2e |
| SHA256 | 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6 |
| SHA512 | c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66 |
C:\Program Files\RMS\rfusclient.exe
| MD5 | baedb3d6631842569353333ca074a5e0 |
| SHA1 | d7471c16defbb607dc36017f256571feeebc7f2e |
| SHA256 | 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6 |
| SHA512 | c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66 |
\Program Files\RMS\sys.exe
| MD5 | dea49a07b4128f06c6c38de2ea030cba |
| SHA1 | a7922148b1fa47b07e9fd0ffb785b2be04d8048a |
| SHA256 | a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07 |
| SHA512 | 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5 |
C:\Program Files\RMS\sys.exe
| MD5 | dea49a07b4128f06c6c38de2ea030cba |
| SHA1 | a7922148b1fa47b07e9fd0ffb785b2be04d8048a |
| SHA256 | a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07 |
| SHA512 | 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5 |
C:\Program Files\RMS\sys.exe
| MD5 | dea49a07b4128f06c6c38de2ea030cba |
| SHA1 | a7922148b1fa47b07e9fd0ffb785b2be04d8048a |
| SHA256 | a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07 |
| SHA512 | 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5 |
memory/1712-84-0x0000000000400000-0x0000000000933562-memory.dmp
\Users\Admin\AppData\Roaming\Services\run.exe
| MD5 | 4f815a311efbb5a6ef5a2767e0b29057 |
| SHA1 | 7dfce309a06e729ec7cbb26dacf1cf158fc68188 |
| SHA256 | 748e143f022a3a2a42007976e3c67140ce24f7eb16d1752b74f518f179545a28 |
| SHA512 | 280dc9e7ea57a8e6c5a4350b66cf529d04382403e5404d0e269f454d64978f3dc3ece04cdd9a45cb188f4f58081d73c888e6c9b322c1e1510f6368094d6050e2 |
C:\Users\Admin\AppData\Roaming\Services\run.exe
| MD5 | 4f815a311efbb5a6ef5a2767e0b29057 |
| SHA1 | 7dfce309a06e729ec7cbb26dacf1cf158fc68188 |
| SHA256 | 748e143f022a3a2a42007976e3c67140ce24f7eb16d1752b74f518f179545a28 |
| SHA512 | 280dc9e7ea57a8e6c5a4350b66cf529d04382403e5404d0e269f454d64978f3dc3ece04cdd9a45cb188f4f58081d73c888e6c9b322c1e1510f6368094d6050e2 |
memory/1712-92-0x00000000022B0000-0x00000000025D6000-memory.dmp
memory/1712-90-0x0000000000401000-0x0000000000742000-memory.dmp
memory/1712-93-0x00000000003C0000-0x00000000003C3000-memory.dmp
memory/1940-91-0x0000000000400000-0x0000000000DE7000-memory.dmp
memory/1712-94-0x0000000000290000-0x0000000000296000-memory.dmp
memory/924-96-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1200-98-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1336-97-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Roaming\Services\run.bat
| MD5 | 66f6453a137c5e4f08abea15ec094943 |
| SHA1 | 0f0291dd0bf81b8e332387bf18a3d23cc3013692 |
| SHA256 | 7658e22933d99895f25d2ad80516c104dee201871b6ae26d56d0281ed0724068 |
| SHA512 | 61ca084730259885f53f55005e4387e1fac33664f3ddb0f9a0e3804ce2c8bf181e0da5926176ac7eaae1843606314592807f5446738cfbba843eb66e358945bf |
memory/1724-100-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Program Files\RMS\rfusclient.exe
| MD5 | baedb3d6631842569353333ca074a5e0 |
| SHA1 | d7471c16defbb607dc36017f256571feeebc7f2e |
| SHA256 | 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6 |
| SHA512 | c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66 |
memory/1340-103-0x00000000001C0000-0x00000000001C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-13 10:24
Reported
2022-02-13 10:29
Platform
win10v2004-en-20220112
Max time kernel
162s
Max time network
175s
Command Line
Signatures
RMS
UAC bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\sys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Services\run.exe | N/A |
Modifies Windows Firewall
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Allows Network login with blank passwords
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\limitblankpassworduse = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.232739" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4208" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3996" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3856" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.346023" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.008181" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4060" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893980538698259" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
| N/A | N/A | C:\Program Files\RMS\rutserg.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe
"C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe"
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Program Files\RMS\regedit.reg"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
C:\Program Files\RMS\rutserg.exe
"C:\Program Files\RMS\rutserg.exe" /silentinstall
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Program Files\RMS\rutserg.exe
"C:\Program Files\RMS\rutserg.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Program Files\RMS\regedit.reg"
C:\Program Files\RMS\rutserg.exe
"C:\Program Files\RMS\rutserg.exe" /start
C:\Program Files\RMS\rutserg.exe
"C:\Program Files\RMS\rutserg.exe"
C:\Program Files\RMS\sys.exe
"C:\Program Files\RMS\sys.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Services\run.bat
C:\Users\Admin\AppData\Roaming\Services\run.exe
C:\Users\Admin\AppData\Roaming\Services\run.exe
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.143.87.28:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
Files
memory/2228-130-0x0000000000400000-0x0000000000DE7000-memory.dmp
C:\Program Files\RMS\regedit.reg
| MD5 | b7ea6b6f29b74c67920adabf4ce9c348 |
| SHA1 | 680ff1970192887af59ed9f532e8342234e60d17 |
| SHA256 | 055ca8a6601891472d14ab3817c2f96a7edb46d6c6548b0247621221c24322ca |
| SHA512 | fe5f00cd79a7b1419bf39d3272800094ccd5327a5d9bd5be46b803866ceb0cda38a9fb55e28b39dd89937e287c22057525b67dac85a1150c651f7690c9e10b14 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\rutserg.exe
| MD5 | 8f115fdd2bd9e9a83e0a1e0771f2e925 |
| SHA1 | bd41b8c9ad505b8d4f5000785a95ee23b42a2832 |
| SHA256 | 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625 |
| SHA512 | 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5 |
C:\Program Files\RMS\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\Program Files\RMS\rfusclient.exe
| MD5 | baedb3d6631842569353333ca074a5e0 |
| SHA1 | d7471c16defbb607dc36017f256571feeebc7f2e |
| SHA256 | 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6 |
| SHA512 | c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66 |
C:\Program Files\RMS\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
memory/2228-143-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2228-142-0x0000000000400000-0x0000000000DE7000-memory.dmp
memory/3640-144-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
C:\Program Files\RMS\sys.exe
| MD5 | dea49a07b4128f06c6c38de2ea030cba |
| SHA1 | a7922148b1fa47b07e9fd0ffb785b2be04d8048a |
| SHA256 | a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07 |
| SHA512 | 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5 |
memory/3944-146-0x0000000000401000-0x0000000000742000-memory.dmp
C:\Program Files\RMS\sys.exe
| MD5 | dea49a07b4128f06c6c38de2ea030cba |
| SHA1 | a7922148b1fa47b07e9fd0ffb785b2be04d8048a |
| SHA256 | a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07 |
| SHA512 | 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5 |
memory/3944-149-0x0000000000400000-0x0000000000933562-memory.dmp
memory/3944-148-0x0000000000400000-0x0000000000933562-memory.dmp
memory/3944-152-0x0000000002640000-0x0000000002966000-memory.dmp
memory/3944-153-0x0000000002980000-0x0000000002983000-memory.dmp
memory/3944-154-0x0000000002970000-0x0000000002976000-memory.dmp
memory/3944-155-0x000000007FE40000-0x000000007FE41000-memory.dmp
C:\Users\Admin\AppData\Roaming\Services\run.exe
| MD5 | 4f815a311efbb5a6ef5a2767e0b29057 |
| SHA1 | 7dfce309a06e729ec7cbb26dacf1cf158fc68188 |
| SHA256 | 748e143f022a3a2a42007976e3c67140ce24f7eb16d1752b74f518f179545a28 |
| SHA512 | 280dc9e7ea57a8e6c5a4350b66cf529d04382403e5404d0e269f454d64978f3dc3ece04cdd9a45cb188f4f58081d73c888e6c9b322c1e1510f6368094d6050e2 |
C:\Users\Admin\AppData\Roaming\Services\run.exe
| MD5 | 4f815a311efbb5a6ef5a2767e0b29057 |
| SHA1 | 7dfce309a06e729ec7cbb26dacf1cf158fc68188 |
| SHA256 | 748e143f022a3a2a42007976e3c67140ce24f7eb16d1752b74f518f179545a28 |
| SHA512 | 280dc9e7ea57a8e6c5a4350b66cf529d04382403e5404d0e269f454d64978f3dc3ece04cdd9a45cb188f4f58081d73c888e6c9b322c1e1510f6368094d6050e2 |
C:\Users\Admin\AppData\Roaming\Services\run.bat
| MD5 | 66f6453a137c5e4f08abea15ec094943 |
| SHA1 | 0f0291dd0bf81b8e332387bf18a3d23cc3013692 |
| SHA256 | 7658e22933d99895f25d2ad80516c104dee201871b6ae26d56d0281ed0724068 |
| SHA512 | 61ca084730259885f53f55005e4387e1fac33664f3ddb0f9a0e3804ce2c8bf181e0da5926176ac7eaae1843606314592807f5446738cfbba843eb66e358945bf |
memory/736-159-0x00000000020C0000-0x00000000020C1000-memory.dmp