Malware Analysis Report

2024-11-15 08:39

Sample ID 220427-abg2hsafhl
Target 5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe
SHA256 5762f57bdb828ca779acfdde7b4c986f2562696c87edf9b26f2985df9c287749
Tags
upx rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5762f57bdb828ca779acfdde7b4c986f2562696c87edf9b26f2985df9c287749

Threat Level: Known bad

The file 5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe was found to be: Known bad.

Malicious Activity Summary

upx rms rat trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

RMS

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-27 00:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-27 00:02

Reported

2022-04-27 00:04

Platform

win7-20220414-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe"

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet" C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 604 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 604 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 604 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 604 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 2040 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 2040 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 2040 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 2040 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 436 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 436 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 436 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 436 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe

"C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe"

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent -second

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" /tray /user

Network

Country Destination Domain Proto
RU 194.226.128.207:5655 tcp

Files

memory/604-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

MD5 5a0e86599acf1fe7e52ccec970ba267d
SHA1 2cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256 cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10

memory/2040-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

MD5 5a0e86599acf1fe7e52ccec970ba267d
SHA1 2cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256 cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

MD5 5a0e86599acf1fe7e52ccec970ba267d
SHA1 2cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256 cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

memory/1736-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll

MD5 5222eaf78313758b0520be16e3f8392e
SHA1 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA256 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll

MD5 5222eaf78313758b0520be16e3f8392e
SHA1 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA256 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll

MD5 90a4b7fc6807693e68dd32b68614d989
SHA1 785484ef531ca90f323d5b017fefcff05e68093a
SHA256 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA512 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll

MD5 90a4b7fc6807693e68dd32b68614d989
SHA1 785484ef531ca90f323d5b017fefcff05e68093a
SHA256 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA512 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll

MD5 90a4b7fc6807693e68dd32b68614d989
SHA1 785484ef531ca90f323d5b017fefcff05e68093a
SHA256 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA512 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll

MD5 5222eaf78313758b0520be16e3f8392e
SHA1 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA256 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\eventmsg.dll

MD5 4e84df6558c385bc781cddea34c9fba3
SHA1 6d63d87c19c11bdbfa484a5835ffffd7647296c8
SHA256 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d
SHA512 c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\vp8decoder.dll

MD5 e247666cdea63da5a95aebc135908207
SHA1 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392
SHA256 b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33
SHA512 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmvorbisencoder.dll

MD5 642dc7e57f0c962b9db4c8fb346bc5a7
SHA1 acee24383b846f7d12521228d69135e5704546f6
SHA256 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede
SHA512 fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmvorbisdecoder.dll

MD5 eda07083af5b6608cb5b7c305d787842
SHA1 d1703c23522d285a3ccdaf7ba2eb837d40608867
SHA256 c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d
SHA512 be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmmux.dll

MD5 49c51ace274d7db13caa533880869a4a
SHA1 b539ed2f1a15e2d4e5c933611d736e0c317b8313
SHA256 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b
SHA512 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\vp8encoder.dll

MD5 d5c2a6ac30e76b7c9b55adf1fe5c1e4a
SHA1 3d841eb48d1a32b511611d4b9e6eed71e2c373ee
SHA256 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428
SHA512 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\settings.dat

MD5 c27be7d68cfd0bd3171e1ef17810d5f9
SHA1 586159af074333174d0a67279f1eb3984db2834d
SHA256 bb4369c750741a04ca9db4e976e5c24ca6622db29932546d4cee307cd33cf4d7
SHA512 2651b2ad8df8abb4021f0769644a28b118d9716065da96a3aeab25bda72cd0e19276cc8a45a932da8b76e2ca6621896f4b10cd49a1c0eefca69dab6d158c6455

memory/1556-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

MD5 5a0e86599acf1fe7e52ccec970ba267d
SHA1 2cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256 cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\logo.png

MD5 9ce69f005e39907bd768eeb9663198d2
SHA1 d724211e737143e7425c31cb49ae431b80ae0647
SHA256 6e5fc3669f51c3295348315c74e3a33a5eb641b461cbfa79c88a4cb5680ce398
SHA512 5a25ea18be2c59a0bc3e75adfb65226be4e3c1af342e8a5c4f0263471e9c84a80a3c0c17264efc9bf6b80910f9bd83520eb9d264b40efe2cf6b8fdaf3e9d8201

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\branding.ini

MD5 20ac4d480454924d7398b2364bc5249c
SHA1 30bf0828a67845ff28278ec0b2618199082c3141
SHA256 f57efe43c5ecb38018d497ae3eb107e687c8ac1a3a1da7ddbf11d461be42bb55
SHA512 53ba4006cf4fbbe2b575b1cdff194de1798ded76faea23dc53d8cebab35e3d28e91e0225c055daba1b34168070c7ed21320fb866c50c0a4a80572901eb0d28a3

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-27 00:02

Reported

2022-04-27 00:04

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe"

Signatures

RMS

trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5068 created 1868 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_DDC6638534E8608691DE0CEAFF22DE0F C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-9216 = "This PC" C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet" C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers" C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network" C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 1888 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 1888 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 3972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 3972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 3972 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 5068 wrote to memory of 3432 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 5068 wrote to memory of 3432 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 5068 wrote to memory of 3432 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe
PID 3432 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 3432 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe
PID 3432 wrote to memory of 224 N/A C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe

"C:\Users\Admin\AppData\Local\Temp\5762F57BDB828CA779ACFDDE7B4C986F2562696C87EDF.exe"

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe" -run_agent -second

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe" /tray /user

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
RU 194.226.128.207:5655 tcp
US 93.184.220.29:80 tcp
US 20.189.173.9:443 tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
US 209.197.3.8:80 tcp

Files

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

MD5 5a0e86599acf1fe7e52ccec970ba267d
SHA1 2cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256 cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10

memory/3972-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

MD5 5a0e86599acf1fe7e52ccec970ba267d
SHA1 2cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256 cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

memory/1868-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll

MD5 5222eaf78313758b0520be16e3f8392e
SHA1 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA256 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll

MD5 5222eaf78313758b0520be16e3f8392e
SHA1 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA256 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll

MD5 90a4b7fc6807693e68dd32b68614d989
SHA1 785484ef531ca90f323d5b017fefcff05e68093a
SHA256 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA512 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll

MD5 90a4b7fc6807693e68dd32b68614d989
SHA1 785484ef531ca90f323d5b017fefcff05e68093a
SHA256 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA512 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rutserv.exe

MD5 5f1953611f6c7f7abca398d6288c9397
SHA1 e9203fae4c0ff673a686f03df5df5a86a0b86e7d
SHA256 54cdd1795816f16560e0e1ac8eecc74c50de6c22c446ec7cd1c2b0a26347de26
SHA512 fdd5e3399725ace189c965ec003ca44831f8dd0e7529cc74aa01acf6c0b93356fa0052462b9acee7e894f21eeb89fb10adbba503c075ba118e789bd9548ce164

memory/3432-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\ssleay32.dll

MD5 90a4b7fc6807693e68dd32b68614d989
SHA1 785484ef531ca90f323d5b017fefcff05e68093a
SHA256 4f475bd6235d2f761f6c6dbdf3f4b2f35fc6a3787e6b1b28a1912e85cb9be2f6
SHA512 97b970cb24774f141042149ac53e45b3fc42f9ce911c0ca774aa3812f48d7744434bf31d217b2a8522439d0e3f71048cc916556c18a71be61b203c942373a81c

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\libeay32.dll

MD5 5222eaf78313758b0520be16e3f8392e
SHA1 9c7cc8fb340618fef38422cf0c75c4c9bfb216e2
SHA256 4771b71a48190504094d104087dd431c1c40bde6fad0338a86aa42f7f2a457a5
SHA512 459503146f963c64777c56176e480e3334c5bcff2bfef14fc2925b38f1f32117c387dc957789e1691a68798c004c9e672460bda51edcc7b45fb0e1553bf66812

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmmux.dll

MD5 49c51ace274d7db13caa533880869a4a
SHA1 b539ed2f1a15e2d4e5c933611d736e0c317b8313
SHA256 1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b
SHA512 13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\vp8encoder.dll

MD5 d5c2a6ac30e76b7c9b55adf1fe5c1e4a
SHA1 3d841eb48d1a32b511611d4b9e6eed71e2c373ee
SHA256 11c7004851e6e6624158990dc8abe3aa517bcab708364d469589ad0ca3dba428
SHA512 3c1c7fb535e779ac6c0d5aef2d4e9239f1c27136468738a0bd8587f91b99365a38808be31380be98fd74063d266654a6ac2c2e88861a3fe314a95f1296699e1d

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\vp8decoder.dll

MD5 e247666cdea63da5a95aebc135908207
SHA1 4642f6c3973c41b7d1c9a73111a26c2d7ac9c392
SHA256 b419ed0374e3789b4f83d4af601f796d958e366562a0aaea5d2f81e82abdcf33
SHA512 06da11e694d5229783cfb058dcd04d855a1d0758beeaa97bcd886702a1502d0bf542e7890aa8f2e401be36ccf70376b5c091a5d328bb1abe738bc0798ab98a54

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\eventmsg.dll

MD5 4e84df6558c385bc781cddea34c9fba3
SHA1 6d63d87c19c11bdbfa484a5835ffffd7647296c8
SHA256 0526073f28a3b5999528bfa0e680d668922499124f783f02c52a3b25c367ef6d
SHA512 c35da0744568bfffeff09e6590d059e91e5d380c5feb3a0fbc5b19477ceca007a882884a7033345ce408fce1deac5248ad9b046656478d734fe494b787f8a9f2

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmvorbisdecoder.dll

MD5 eda07083af5b6608cb5b7c305d787842
SHA1 d1703c23522d285a3ccdaf7ba2eb837d40608867
SHA256 c4683eb09d65d692ca347c0c21f72b086bd2faf733b13234f3a6b28444457d7d
SHA512 be5879621d544c4e2c4b0a5db3d93720623e89e841b2982c7f6c99ba58d30167e0dd591a12048ed045f19ec45877aa2ef631b301b903517effa17579c4b7c401

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\webmvorbisencoder.dll

MD5 642dc7e57f0c962b9db4c8fb346bc5a7
SHA1 acee24383b846f7d12521228d69135e5704546f6
SHA256 63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede
SHA512 fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\settings.dat

MD5 c27be7d68cfd0bd3171e1ef17810d5f9
SHA1 586159af074333174d0a67279f1eb3984db2834d
SHA256 bb4369c750741a04ca9db4e976e5c24ca6622db29932546d4cee307cd33cf4d7
SHA512 2651b2ad8df8abb4021f0769644a28b118d9716065da96a3aeab25bda72cd0e19276cc8a45a932da8b76e2ca6621896f4b10cd49a1c0eefca69dab6d158c6455

memory/224-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\rfusclient.exe

MD5 5a0e86599acf1fe7e52ccec970ba267d
SHA1 2cf83b99bc7ac354385c35d4ec0cd09b731fa945
SHA256 cd734ca5611e02133bec7ff94d332a125c5957e7648f22549d2d65e7d7fd502d
SHA512 037db2e9271ae68d1cf69e1b82884f32547f99da17b6a6365a91681ebb82ec0e23c63cf80a5138b319c7a4e58c865d9a2fc1c00d7d9ff1071e0bdf8a3c9e3b10

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\logo.png

MD5 9ce69f005e39907bd768eeb9663198d2
SHA1 d724211e737143e7425c31cb49ae431b80ae0647
SHA256 6e5fc3669f51c3295348315c74e3a33a5eb641b461cbfa79c88a4cb5680ce398
SHA512 5a25ea18be2c59a0bc3e75adfb65226be4e3c1af342e8a5c4f0263471e9c84a80a3c0c17264efc9bf6b80910f9bd83520eb9d264b40efe2cf6b8fdaf3e9d8201

C:\Users\Admin\AppData\Roaming\RMS Agent\70120\372E684885\branding.ini

MD5 20ac4d480454924d7398b2364bc5249c
SHA1 30bf0828a67845ff28278ec0b2618199082c3141
SHA256 f57efe43c5ecb38018d497ae3eb107e687c8ac1a3a1da7ddbf11d461be42bb55
SHA512 53ba4006cf4fbbe2b575b1cdff194de1798ded76faea23dc53d8cebab35e3d28e91e0225c055daba1b34168070c7ed21320fb866c50c0a4a80572901eb0d28a3