Analysis Overview
SHA256
5762f57bdb828ca779acfdde7b4c986f2562696c87edf9b26f2985df9c287749
Threat Level: Known bad
The file 5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
RMS
UPX packed file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-27 00:02
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-27 00:02
Reported
2022-04-27 00:04
Platform
win7-20220414-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet" | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe
"C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe"
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent -second
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" /tray /user
Network
| Country | Destination | Domain | Proto |
| RU | 194.226.128.207:5655 | tcp |
Files
memory/604-54-0x00000000757C1000-0x00000000757C3000-memory.dmp
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
| MD5 | 5a0e86599acf1fe7e52ccec970ba267d |
| SHA1 | 2cf83b99bc7ac354385c35d4ec0cd09b731fa945 |
| SHA256 | cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d |
| SHA512 | 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10 |
memory/2040-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
| MD5 | 5a0e86599acf1fe7e52ccec970ba267d |
| SHA1 | 2cf83b99bc7ac354385c35d4ec0cd09b731fa945 |
| SHA256 | cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d |
| SHA512 | 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
| MD5 | 5a0e86599acf1fe7e52ccec970ba267d |
| SHA1 | 2cf83b99bc7ac354385c35d4ec0cd09b731fa945 |
| SHA256 | cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d |
| SHA512 | 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
memory/1736-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll
| MD5 | 5222eaf78313758b0520be16e3f8392e |
| SHA1 | 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2 |
| SHA256 | 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5 |
| SHA512 | 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll
| MD5 | 5222eaf78313758b0520be16e3f8392e |
| SHA1 | 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2 |
| SHA256 | 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5 |
| SHA512 | 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll
| MD5 | 90a4b7fc6807693e68dd32b68614d989 |
| SHA1 | 785484ef531ca90f323d5b017fefcff05e68093a |
| SHA256 | 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6 |
| SHA512 | 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c |
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll
| MD5 | 90a4b7fc6807693e68dd32b68614d989 |
| SHA1 | 785484ef531ca90f323d5b017fefcff05e68093a |
| SHA256 | 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6 |
| SHA512 | 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll
| MD5 | 90a4b7fc6807693e68dd32b68614d989 |
| SHA1 | 785484ef531ca90f323d5b017fefcff05e68093a |
| SHA256 | 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6 |
| SHA512 | 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c |
\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll
| MD5 | 5222eaf78313758b0520be16e3f8392e |
| SHA1 | 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2 |
| SHA256 | 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5 |
| SHA512 | 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\eventmsg.dll
| MD5 | 4e84df6558c385bc781cddea34c9fba3 |
| SHA1 | 6d63d87c19c11bdbfa484a5835ffffd7647296c8 |
| SHA256 | 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d |
| SHA512 | c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\vp8decoder.dll
| MD5 | e247666cdea63da5a95aebc135908207 |
| SHA1 | 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392 |
| SHA256 | b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33 |
| SHA512 | 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmvorbisencoder.dll
| MD5 | 642dc7e57f0c962b9db4c8fb346bc5a7 |
| SHA1 | acee24383b846f7d12521228d69135e5704546f6 |
| SHA256 | 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede |
| SHA512 | fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmvorbisdecoder.dll
| MD5 | eda07083af5b6608cb5b7c305d787842 |
| SHA1 | d1703c23522d285a3ccdaf7ba2eb837d40608867 |
| SHA256 | c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d |
| SHA512 | be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmmux.dll
| MD5 | 49c51ace274d7db13caa533880869a4a |
| SHA1 | b539ed2f1a15e2d4e5c933611d736e0c317b8313 |
| SHA256 | 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b |
| SHA512 | 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\vp8encoder.dll
| MD5 | d5c2a6ac30e76b7c9b55adf1fe5c1e4a |
| SHA1 | 3d841eb48d1a32b511611d4b9e6eed71e2c373ee |
| SHA256 | 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428 |
| SHA512 | 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\settings.dat
| MD5 | c27be7d68cfd0bd3171e1ef17810d5f9 |
| SHA1 | 586159af074333174d0a67279f1eb3984db2834d |
| SHA256 | bb4369c750741a04ca9db4e976e5c24ca6622db29932546d4cee307cd33cf4d7 |
| SHA512 | 2651b2ad8df8abb4021f0769644a28b118d9716065da96a3aeab25bda72cd0e19276cc8a45a932da8b76e2ca6621896f4b10cd49a1c0eefca69dab6d158c6455 |
memory/1556-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
| MD5 | 5a0e86599acf1fe7e52ccec970ba267d |
| SHA1 | 2cf83b99bc7ac354385c35d4ec0cd09b731fa945 |
| SHA256 | cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d |
| SHA512 | 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\logo.png
| MD5 | 9ce69f005e39907bd768eeb9663198d2 |
| SHA1 | d724211e737143e7425c31cb49ae431b80ae0647 |
| SHA256 | 6e5fc3669f51c3295348315c74e3a33a5eb641b461cbfa79c88a4cb5680ce398 |
| SHA512 | 5a25ea18be2c59a0bc3e75adfb65226be4e3c1af342e8a5c4f0263471e9c84a80a3c0c17264efc9bf6b80910f9bd83520eb9d264b40efe2cf6b8fdaf3e9d8201 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\branding.ini
| MD5 | 20ac4d480454924d7398b2364bc5249c |
| SHA1 | 30bf0828a67845ff28278ec0b2618199082c3141 |
| SHA256 | f57efe43c5ecb38018d497ae3eb107e687c8ac1a3a1da7ddbf11d461be42bb55 |
| SHA512 | 53ba4006cf4fbbe2b575b1cdff194de1798ded76faea23dc53d8cebab35e3d28e91e0225c055daba1b34168070c7ed21320fb866c50c0a4a80572901eb0d28a3 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-27 00:02
Reported
2022-04-27 00:04
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
146s
Command Line
Signatures
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5068 created 1868 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-9216 = "This PC" | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet" | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe
"C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe"
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent -second
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| RU | 194.226.128.207:5655 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 20.189.173.9:443 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
| MD5 | 5a0e86599acf1fe7e52ccec970ba267d |
| SHA1 | 2cf83b99bc7ac354385c35d4ec0cd09b731fa945 |
| SHA256 | cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d |
| SHA512 | 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10 |
memory/3972-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
| MD5 | 5a0e86599acf1fe7e52ccec970ba267d |
| SHA1 | 2cf83b99bc7ac354385c35d4ec0cd09b731fa945 |
| SHA256 | cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d |
| SHA512 | 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
memory/1868-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll
| MD5 | 5222eaf78313758b0520be16e3f8392e |
| SHA1 | 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2 |
| SHA256 | 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5 |
| SHA512 | 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll
| MD5 | 5222eaf78313758b0520be16e3f8392e |
| SHA1 | 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2 |
| SHA256 | 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5 |
| SHA512 | 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll
| MD5 | 90a4b7fc6807693e68dd32b68614d989 |
| SHA1 | 785484ef531ca90f323d5b017fefcff05e68093a |
| SHA256 | 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6 |
| SHA512 | 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll
| MD5 | 90a4b7fc6807693e68dd32b68614d989 |
| SHA1 | 785484ef531ca90f323d5b017fefcff05e68093a |
| SHA256 | 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6 |
| SHA512 | 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
| MD5 | 5f1953611f6c7f7abca398d6288c9397 |
| SHA1 | e9203fae4c0ff673a686f03df5df5a86a0b86e7d |
| SHA256 | 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26 |
| SHA512 | fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164 |
memory/3432-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll
| MD5 | 90a4b7fc6807693e68dd32b68614d989 |
| SHA1 | 785484ef531ca90f323d5b017fefcff05e68093a |
| SHA256 | 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6 |
| SHA512 | 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll
| MD5 | 5222eaf78313758b0520be16e3f8392e |
| SHA1 | 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2 |
| SHA256 | 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5 |
| SHA512 | 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmmux.dll
| MD5 | 49c51ace274d7db13caa533880869a4a |
| SHA1 | b539ed2f1a15e2d4e5c933611d736e0c317b8313 |
| SHA256 | 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b |
| SHA512 | 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\vp8encoder.dll
| MD5 | d5c2a6ac30e76b7c9b55adf1fe5c1e4a |
| SHA1 | 3d841eb48d1a32b511611d4b9e6eed71e2c373ee |
| SHA256 | 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428 |
| SHA512 | 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\vp8decoder.dll
| MD5 | e247666cdea63da5a95aebc135908207 |
| SHA1 | 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392 |
| SHA256 | b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33 |
| SHA512 | 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\eventmsg.dll
| MD5 | 4e84df6558c385bc781cddea34c9fba3 |
| SHA1 | 6d63d87c19c11bdbfa484a5835ffffd7647296c8 |
| SHA256 | 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d |
| SHA512 | c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmvorbisdecoder.dll
| MD5 | eda07083af5b6608cb5b7c305d787842 |
| SHA1 | d1703c23522d285a3ccdaf7ba2eb837d40608867 |
| SHA256 | c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d |
| SHA512 | be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmvorbisencoder.dll
| MD5 | 642dc7e57f0c962b9db4c8fb346bc5a7 |
| SHA1 | acee24383b846f7d12521228d69135e5704546f6 |
| SHA256 | 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede |
| SHA512 | fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\settings.dat
| MD5 | c27be7d68cfd0bd3171e1ef17810d5f9 |
| SHA1 | 586159af074333174d0a67279f1eb3984db2834d |
| SHA256 | bb4369c750741a04ca9db4e976e5c24ca6622db29932546d4cee307cd33cf4d7 |
| SHA512 | 2651b2ad8df8abb4021f0769644a28b118d9716065da96a3aeab25bda72cd0e19276cc8a45a932da8b76e2ca6621896f4b10cd49a1c0eefca69dab6d158c6455 |
memory/224-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
| MD5 | 5a0e86599acf1fe7e52ccec970ba267d |
| SHA1 | 2cf83b99bc7ac354385c35d4ec0cd09b731fa945 |
| SHA256 | cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d |
| SHA512 | 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\logo.png
| MD5 | 9ce69f005e39907bd768eeb9663198d2 |
| SHA1 | d724211e737143e7425c31cb49ae431b80ae0647 |
| SHA256 | 6e5fc3669f51c3295348315c74e3a33a5eb641b461cbfa79c88a4cb5680ce398 |
| SHA512 | 5a25ea18be2c59a0bc3e75adfb65226be4e3c1af342e8a5c4f0263471e9c84a80a3c0c17264efc9bf6b80910f9bd83520eb9d264b40efe2cf6b8fdaf3e9d8201 |
C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\branding.ini
| MD5 | 20ac4d480454924d7398b2364bc5249c |
| SHA1 | 30bf0828a67845ff28278ec0b2618199082c3141 |
| SHA256 | f57efe43c5ecb38018d497ae3eb107e687c8ac1a3a1da7ddbf11d461be42bb55 |
| SHA512 | 53ba4006cf4fbbe2b575b1cdff194de1798ded76faea23dc53d8cebab35e3d28e91e0225c055daba1b34168070c7ed21320fb866c50c0a4a80572901eb0d28a3 |