Malware Analysis Report

2024-11-30 19:36

Sample ID 220213-mftx4aggf7
Target cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c
SHA256 cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c
Tags
rms evasion rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c

Threat Level: Known bad

The file cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c was found to be: Known bad.

Malicious Activity Summary

rms evasion rat trojan upx

UAC bypass

RMS

Executes dropped EXE

UPX packed file

Modifies Windows Firewall

Loads dropped DLL

Allows Network login with blank passwords

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Checks processor information in registry

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: SetClipboardViewer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-13 10:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-13 10:24

Reported

2022-02-13 10:30

Platform

win7-en-20211208

Max time kernel

155s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe"

Signatures

RMS

trojan rat rms

UAC bypass

evasion trojan

Modifies Windows Firewall

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Allows Network login with blank passwords

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\limitblankpassworduse = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\RMS\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\rutserg.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\regedit.reg C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\settings.ini C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\regedit.reg C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\rutserg.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\settings.ini C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files\RMS\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 1940 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 1940 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 1940 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 1940 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 1940 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 1940 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 1940 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 1940 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1940 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 1336 wrote to memory of 1200 N/A C:\Program Files\RMS\rutserg.exe C:\Program Files\RMS\rfusclient.exe
PID 1336 wrote to memory of 1200 N/A C:\Program Files\RMS\rutserg.exe C:\Program Files\RMS\rfusclient.exe
PID 1336 wrote to memory of 1200 N/A C:\Program Files\RMS\rutserg.exe C:\Program Files\RMS\rfusclient.exe
PID 1336 wrote to memory of 1200 N/A C:\Program Files\RMS\rutserg.exe C:\Program Files\RMS\rfusclient.exe
PID 1336 wrote to memory of 924 N/A C:\Program Files\RMS\rutserg.exe C:\Program Files\RMS\rfusclient.exe
PID 1336 wrote to memory of 924 N/A C:\Program Files\RMS\rutserg.exe C:\Program Files\RMS\rfusclient.exe
PID 1336 wrote to memory of 924 N/A C:\Program Files\RMS\rutserg.exe C:\Program Files\RMS\rfusclient.exe
PID 1336 wrote to memory of 924 N/A C:\Program Files\RMS\rutserg.exe C:\Program Files\RMS\rfusclient.exe
PID 1940 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\sys.exe
PID 1940 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\sys.exe
PID 1940 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\sys.exe
PID 1940 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\sys.exe
PID 1712 wrote to memory of 2028 N/A C:\Program Files\RMS\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2028 N/A C:\Program Files\RMS\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2028 N/A C:\Program Files\RMS\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2028 N/A C:\Program Files\RMS\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1724 N/A C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Roaming\Services\run.exe
PID 1712 wrote to memory of 1724 N/A C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Roaming\Services\run.exe
PID 1712 wrote to memory of 1724 N/A C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Roaming\Services\run.exe
PID 1712 wrote to memory of 1724 N/A C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Roaming\Services\run.exe
PID 2028 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2028 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2028 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2028 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1200 wrote to memory of 1340 N/A C:\Program Files\RMS\rfusclient.exe C:\Program Files\RMS\rfusclient.exe
PID 1200 wrote to memory of 1340 N/A C:\Program Files\RMS\rfusclient.exe C:\Program Files\RMS\rfusclient.exe
PID 1200 wrote to memory of 1340 N/A C:\Program Files\RMS\rfusclient.exe C:\Program Files\RMS\rfusclient.exe
PID 1200 wrote to memory of 1340 N/A C:\Program Files\RMS\rfusclient.exe C:\Program Files\RMS\rfusclient.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe

"C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Program Files\RMS\regedit.reg"

C:\Program Files\RMS\rutserg.exe

"C:\Program Files\RMS\rutserg.exe" /silentinstall

C:\Program Files\RMS\rutserg.exe

"C:\Program Files\RMS\rutserg.exe" /firewall

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Program Files\RMS\regedit.reg"

C:\Program Files\RMS\rutserg.exe

"C:\Program Files\RMS\rutserg.exe" /start

C:\Program Files\RMS\rutserg.exe

"C:\Program Files\RMS\rutserg.exe"

C:\Program Files\RMS\rfusclient.exe

"C:\Program Files\RMS\rfusclient.exe"

C:\Program Files\RMS\rfusclient.exe

"C:\Program Files\RMS\rfusclient.exe" /tray

C:\Program Files\RMS\sys.exe

"C:\Program Files\RMS\sys.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\Services\run.bat

C:\Users\Admin\AppData\Roaming\Services\run.exe

C:\Users\Admin\AppData\Roaming\Services\run.exe

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

C:\Program Files\RMS\rfusclient.exe

"C:\Program Files\RMS\rfusclient.exe" /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1940-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

memory/1940-56-0x0000000000400000-0x0000000000DE7000-memory.dmp

C:\Program Files\RMS\regedit.reg

MD5 b7ea6b6f29b74c67920adabf4ce9c348
SHA1 680ff1970192887af59ed9f532e8342234e60d17
SHA256 055ca8a6601891472d14ab3817c2f96a7edb46d6c6548b0247621221c24322ca
SHA512 fe5f00cd79a7b1419bf39d3272800094ccd5327a5d9bd5be46b803866ceb0cda38a9fb55e28b39dd89937e287c22057525b67dac85a1150c651f7690c9e10b14

\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rfusclient.exe

MD5 baedb3d6631842569353333ca074a5e0
SHA1 d7471c16defbb607dc36017f256571feeebc7f2e
SHA256 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6
SHA512 c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66

C:\Program Files\RMS\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Program Files\RMS\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

\Program Files\RMS\rfusclient.exe

MD5 baedb3d6631842569353333ca074a5e0
SHA1 d7471c16defbb607dc36017f256571feeebc7f2e
SHA256 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6
SHA512 c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66

C:\Program Files\RMS\rfusclient.exe

MD5 baedb3d6631842569353333ca074a5e0
SHA1 d7471c16defbb607dc36017f256571feeebc7f2e
SHA256 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6
SHA512 c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66

C:\Program Files\RMS\rfusclient.exe

MD5 baedb3d6631842569353333ca074a5e0
SHA1 d7471c16defbb607dc36017f256571feeebc7f2e
SHA256 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6
SHA512 c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66

\Program Files\RMS\sys.exe

MD5 dea49a07b4128f06c6c38de2ea030cba
SHA1 a7922148b1fa47b07e9fd0ffb785b2be04d8048a
SHA256 a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07
SHA512 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5

C:\Program Files\RMS\sys.exe

MD5 dea49a07b4128f06c6c38de2ea030cba
SHA1 a7922148b1fa47b07e9fd0ffb785b2be04d8048a
SHA256 a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07
SHA512 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5

C:\Program Files\RMS\sys.exe

MD5 dea49a07b4128f06c6c38de2ea030cba
SHA1 a7922148b1fa47b07e9fd0ffb785b2be04d8048a
SHA256 a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07
SHA512 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5

memory/1712-84-0x0000000000400000-0x0000000000933562-memory.dmp

\Users\Admin\AppData\Roaming\Services\run.exe

MD5 4f815a311efbb5a6ef5a2767e0b29057
SHA1 7dfce309a06e729ec7cbb26dacf1cf158fc68188
SHA256 748e143f022a3a2a42007976e3c67140ce24f7eb16d1752b74f518f179545a28
SHA512 280dc9e7ea57a8e6c5a4350b66cf529d04382403e5404d0e269f454d64978f3dc3ece04cdd9a45cb188f4f58081d73c888e6c9b322c1e1510f6368094d6050e2

C:\Users\Admin\AppData\Roaming\Services\run.exe

MD5 4f815a311efbb5a6ef5a2767e0b29057
SHA1 7dfce309a06e729ec7cbb26dacf1cf158fc68188
SHA256 748e143f022a3a2a42007976e3c67140ce24f7eb16d1752b74f518f179545a28
SHA512 280dc9e7ea57a8e6c5a4350b66cf529d04382403e5404d0e269f454d64978f3dc3ece04cdd9a45cb188f4f58081d73c888e6c9b322c1e1510f6368094d6050e2

memory/1712-92-0x00000000022B0000-0x00000000025D6000-memory.dmp

memory/1712-90-0x0000000000401000-0x0000000000742000-memory.dmp

memory/1712-93-0x00000000003C0000-0x00000000003C3000-memory.dmp

memory/1940-91-0x0000000000400000-0x0000000000DE7000-memory.dmp

memory/1712-94-0x0000000000290000-0x0000000000296000-memory.dmp

memory/924-96-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1200-98-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1336-97-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Services\run.bat

MD5 66f6453a137c5e4f08abea15ec094943
SHA1 0f0291dd0bf81b8e332387bf18a3d23cc3013692
SHA256 7658e22933d99895f25d2ad80516c104dee201871b6ae26d56d0281ed0724068
SHA512 61ca084730259885f53f55005e4387e1fac33664f3ddb0f9a0e3804ce2c8bf181e0da5926176ac7eaae1843606314592807f5446738cfbba843eb66e358945bf

memory/1724-100-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Program Files\RMS\rfusclient.exe

MD5 baedb3d6631842569353333ca074a5e0
SHA1 d7471c16defbb607dc36017f256571feeebc7f2e
SHA256 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6
SHA512 c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66

memory/1340-103-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-13 10:24

Reported

2022-02-13 10:29

Platform

win10v2004-en-20220112

Max time kernel

162s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe"

Signatures

RMS

trojan rat rms

UAC bypass

evasion trojan

Modifies Windows Firewall

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Allows Network login with blank passwords

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\limitblankpassworduse = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\RMS\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\settings.ini C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\rutserg.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\regedit.reg C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File created C:\Program Files\RMS\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\settings.ini C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\rutserg.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\rfusclient.exe C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
File opened for modification C:\Program Files\RMS\regedit.reg C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.232739" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4208" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3996" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3856" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.346023" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.008181" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4060" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893980538698259" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\RMS\rutserg.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A
N/A N/A C:\Program Files\RMS\rutserg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 2228 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 2228 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 2228 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 2228 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 2228 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Windows\SysWOW64\regedit.exe
PID 2228 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\rutserg.exe
PID 2228 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\sys.exe
PID 2228 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\sys.exe
PID 2228 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe C:\Program Files\RMS\sys.exe
PID 3944 wrote to memory of 3376 N/A C:\Program Files\RMS\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3376 N/A C:\Program Files\RMS\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3376 N/A C:\Program Files\RMS\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 736 N/A C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Roaming\Services\run.exe
PID 3944 wrote to memory of 736 N/A C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Roaming\Services\run.exe
PID 3944 wrote to memory of 736 N/A C:\Program Files\RMS\sys.exe C:\Users\Admin\AppData\Roaming\Services\run.exe
PID 3376 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3376 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3376 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe

"C:\Users\Admin\AppData\Local\Temp\cb7f487a64b11b3eb26e0f597b2c195835285850a24c23b6534d4d6d8d67af6c.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Program Files\RMS\regedit.reg"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Program Files\RMS\rutserg.exe

"C:\Program Files\RMS\rutserg.exe" /silentinstall

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Program Files\RMS\rutserg.exe

"C:\Program Files\RMS\rutserg.exe" /firewall

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Program Files\RMS\regedit.reg"

C:\Program Files\RMS\rutserg.exe

"C:\Program Files\RMS\rutserg.exe" /start

C:\Program Files\RMS\rutserg.exe

"C:\Program Files\RMS\rutserg.exe"

C:\Program Files\RMS\sys.exe

"C:\Program Files\RMS\sys.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Services\run.bat

C:\Users\Admin\AppData\Roaming\Services\run.exe

C:\Users\Admin\AppData\Roaming\Services\run.exe

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
BE 8.238.110.126:80 tcp
NL 8.238.24.126:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.143.87.28:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp

Files

memory/2228-130-0x0000000000400000-0x0000000000DE7000-memory.dmp

C:\Program Files\RMS\regedit.reg

MD5 b7ea6b6f29b74c67920adabf4ce9c348
SHA1 680ff1970192887af59ed9f532e8342234e60d17
SHA256 055ca8a6601891472d14ab3817c2f96a7edb46d6c6548b0247621221c24322ca
SHA512 fe5f00cd79a7b1419bf39d3272800094ccd5327a5d9bd5be46b803866ceb0cda38a9fb55e28b39dd89937e287c22057525b67dac85a1150c651f7690c9e10b14

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\rutserg.exe

MD5 8f115fdd2bd9e9a83e0a1e0771f2e925
SHA1 bd41b8c9ad505b8d4f5000785a95ee23b42a2832
SHA256 86e4cacf9fdbe0ced991bc5c75790ccc806b3431c3ae1ccd6d56407620ecf625
SHA512 366e6380671445df023ae1479e7a2dcfb205ca4ac16b478d060d38f649967b8d2bf7f041ff7ebc3f248861e41c5b5c45e598b954109ab5fd56a87bc03a5a3ae5

C:\Program Files\RMS\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Program Files\RMS\rfusclient.exe

MD5 baedb3d6631842569353333ca074a5e0
SHA1 d7471c16defbb607dc36017f256571feeebc7f2e
SHA256 4751e1882819162d3b3404d36bffcaf94778bf76dfb3a1bfe662aa88bb80bae6
SHA512 c10faaa4c599aa6be3e39449b5f828e58ce0f042e5103e571b98a7dd8cf538724546b47ed8b76dbda4f70610171d3368526b108665cdfa38d8114c476384eb66

C:\Program Files\RMS\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

memory/2228-143-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2228-142-0x0000000000400000-0x0000000000DE7000-memory.dmp

memory/3640-144-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

C:\Program Files\RMS\sys.exe

MD5 dea49a07b4128f06c6c38de2ea030cba
SHA1 a7922148b1fa47b07e9fd0ffb785b2be04d8048a
SHA256 a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07
SHA512 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5

memory/3944-146-0x0000000000401000-0x0000000000742000-memory.dmp

C:\Program Files\RMS\sys.exe

MD5 dea49a07b4128f06c6c38de2ea030cba
SHA1 a7922148b1fa47b07e9fd0ffb785b2be04d8048a
SHA256 a2dff42aa84ba9cfdfb81c8e3353979d99607ac77e77b3c1c32a68882371ca07
SHA512 9ad954cf5051b487804c775b516c0d72c63af7278cb946d66598633b4bd38e3b26ee04743eddb76bba05e77213edd402f32d3d2b8c494961607afff58232e7d5

memory/3944-149-0x0000000000400000-0x0000000000933562-memory.dmp

memory/3944-148-0x0000000000400000-0x0000000000933562-memory.dmp

memory/3944-152-0x0000000002640000-0x0000000002966000-memory.dmp

memory/3944-153-0x0000000002980000-0x0000000002983000-memory.dmp

memory/3944-154-0x0000000002970000-0x0000000002976000-memory.dmp

memory/3944-155-0x000000007FE40000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Roaming\Services\run.exe

MD5 4f815a311efbb5a6ef5a2767e0b29057
SHA1 7dfce309a06e729ec7cbb26dacf1cf158fc68188
SHA256 748e143f022a3a2a42007976e3c67140ce24f7eb16d1752b74f518f179545a28
SHA512 280dc9e7ea57a8e6c5a4350b66cf529d04382403e5404d0e269f454d64978f3dc3ece04cdd9a45cb188f4f58081d73c888e6c9b322c1e1510f6368094d6050e2

C:\Users\Admin\AppData\Roaming\Services\run.exe

MD5 4f815a311efbb5a6ef5a2767e0b29057
SHA1 7dfce309a06e729ec7cbb26dacf1cf158fc68188
SHA256 748e143f022a3a2a42007976e3c67140ce24f7eb16d1752b74f518f179545a28
SHA512 280dc9e7ea57a8e6c5a4350b66cf529d04382403e5404d0e269f454d64978f3dc3ece04cdd9a45cb188f4f58081d73c888e6c9b322c1e1510f6368094d6050e2

C:\Users\Admin\AppData\Roaming\Services\run.bat

MD5 66f6453a137c5e4f08abea15ec094943
SHA1 0f0291dd0bf81b8e332387bf18a3d23cc3013692
SHA256 7658e22933d99895f25d2ad80516c104dee201871b6ae26d56d0281ed0724068
SHA512 61ca084730259885f53f55005e4387e1fac33664f3ddb0f9a0e3804ce2c8bf181e0da5926176ac7eaae1843606314592807f5446738cfbba843eb66e358945bf

memory/736-159-0x00000000020C0000-0x00000000020C1000-memory.dmp