Analysis Overview
SHA256
b55cf23b9c1295cb522a86734d55de3a3263e63fc58bb4004de54fd4475c531e
Threat Level: Known bad
The file B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
RMS
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-17 12:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-17 12:10
Reported
2022-05-17 12:12
Platform
win7-20220414-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe
"C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
rfusclient.exe -deploy
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe"
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe /tray /user
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | t2.symcb.com | udp |
| DE | 23.37.43.27:80 | t2.symcb.com | tcp |
| US | 8.8.8.8:53 | rms.ecomeds.ru | udp |
| US | 8.8.8.8:53 | tl.symcd.com | udp |
| DE | 23.37.43.27:80 | tl.symcd.com | tcp |
| RU | 95.143.15.215:5655 | rms.ecomeds.ru | tcp |
Files
memory/960-54-0x0000000075801000-0x0000000075803000-memory.dmp
memory/1892-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd
| MD5 | 9b7ac054975f8f7b6fe9a41a18e2d6e7 |
| SHA1 | d820008d3732f37a7e4030c4bd414e3764de1af7 |
| SHA256 | 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255 |
| SHA512 | 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
memory/1692-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg
| MD5 | 294227da6f9c610c49d38e3965bcdb71 |
| SHA1 | a6f694235a68fe35ece21d39e736e16053f4b91d |
| SHA256 | 55fb4c823838b383d077b5c45df2be5fa47abc798054701c23fde5f312379755 |
| SHA512 | 0f3661ca19385d08bbee4419178f7bf9ee7701385c981b94fe81a60438f486c8bea2c048b1bdaf1387265e2d4a1ed4cec2558b7f7fa6d69916c5abbb0b7689a9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf
| MD5 | c3d7db3461db0dbb8a1d2a937b1d6252 |
| SHA1 | 35fafe6c6812f20454c709b0a43a21bf7e9f66bf |
| SHA256 | cf8e39ce145e36d672cb2a140b3f33e0a1337975d7840e1d6a1920ce560bba46 |
| SHA512 | 9759895e5d4f289e6227f65f46b24ad7f2607443bebd9b039f1cf42bd74c986a597d5de4bef70510c4463874a01695ca2f7ccbd231d6ef5316250d7492c48675 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png
| MD5 | 8c36cac6a4b532366bd357139715f64f |
| SHA1 | a05f193ccb47474323598df7325a9cf2400da91c |
| SHA256 | 49529ab38016ca0fa715456b0eed7569741b7370f0bb828b6d21edcdd8730b0a |
| SHA512 | eaa525dc4138b6df7f4cb24a37a413fe1446fb20b852fadc284ebd2636177900553e5794d2da0af3e6a33cf07b003359f0622477157f57587eb524494095e564 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt
| MD5 | 90b15937ff9ec75f7016e171bd1261ce |
| SHA1 | 3fa80c58e8bf6c3ab356047cfaa14187328c3732 |
| SHA256 | eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a |
| SHA512 | 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Russian.lg
| MD5 | cc99020d311e97d6127ab9ddd44c980b |
| SHA1 | 57746de06ba0f206f6ef34c453b5d5cc1f00e136 |
| SHA256 | 37c133f5c437a56c85ee3ca4c921f61c4532b375975c2b2dd9b4b5983e51c66b |
| SHA512 | 4122f3ef2e454382967ab3ac4e7d5f44f5156b0a97e6ebe98467d399a4281a72bc1a87f26b7f67893a64dbcb6d34e1b7775effaff969e87873b42c43eca336fa |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll
| MD5 | 59068498190113e051d94fd0b5ef98aa |
| SHA1 | 6b64bb29763c43a86a4be87fcbc94b2f4697ced3 |
| SHA256 | 097c87769734699254c4f85a6268539c2d90245650930f44d245e75bcc4a3e46 |
| SHA512 | f7093d9b544fcbd3d7336b42eb9c79e17aa2b01910b3a1a23e23036d6230116e1dc3bde0602ab18efcd53c184c77d57348b2dea889c313a4a605d0714ec35ef8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini
| MD5 | 6b948f51b8645b3a315a5466b615e3c7 |
| SHA1 | e96926a39e6a41f1dd40a564d0cfa80edd6e70a4 |
| SHA256 | ee7c0246e8c9f100c7acbd09bed0d7633f4f9bd9095c56fc6f64c74c83d61768 |
| SHA512 | 674ed59e744e99f492d576eb8c1736e0d4b34c9a25fe87fb4dbae4c7fb76c1a45731a3f4eb7823eaae0567da269d6041706b06782047dd1b5ad9c6b494c649cd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll
| MD5 | 89770647609ac26c1bbd9cf6ed50954e |
| SHA1 | 349eed120070bab7e96272697b39e786423ac1d3 |
| SHA256 | 7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4 |
| SHA512 | a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll
| MD5 | 5308b9945e348fbe3a480be06885434c |
| SHA1 | 5c3cb39686cca3e9586e4b405fc8e1853caaf8ff |
| SHA256 | 9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a |
| SHA512 | 4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll
| MD5 | 7a9eeac3ceaf7f95f44eb5c57b4db2e3 |
| SHA1 | be1048c254aa3114358f76d08c55667c4bf2d382 |
| SHA256 | b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88 |
| SHA512 | b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll
| MD5 | d29f7070ee379544aeb19913621c88e6 |
| SHA1 | 499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be |
| SHA256 | 654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf |
| SHA512 | 4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll
| MD5 | 1ea62293ac757a0c2b64e632f30db636 |
| SHA1 | 8c8ac6f8f28f432a514c3a43ea50c90daf66bfba |
| SHA256 | 970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df |
| SHA512 | 857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat
| MD5 | b16ea675ebd94251048b55bfb0fc9c2a |
| SHA1 | b39e923cfeca6d05de88f3a815af42cc754905af |
| SHA256 | 5b13a17d77f6f8eec9f20c3155bfdc39d09c5b668929fc46295b480b896851b0 |
| SHA512 | 03636f9c47bb0c85ce76b3a6439da42ec94c9417dffeebe292566bda2620f31d4b0836fe38bfb5e4d3299d192a6aa34eed867bc1f8ba050dad344ddbe30c2959 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll
| MD5 | 56c10161ff350d143fe51affe777d19f |
| SHA1 | 54abec9bcf95904b666fa5dbdc9b976acb59e79d |
| SHA256 | 4d4dd771e72a4654063dfb06dafef1fd0701ed93c407e68b0f10782e453564c8 |
| SHA512 | 229fdf7503f76ed00f05711c58d1978df9327b085c750873714a52e10db7d53bc702e800d280bb086faa3b360f0b2eecf7aa953b0f9ed1be7eabdd9793493d85 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
memory/1852-79-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
memory/1180-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
memory/1620-92-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-17 12:10
Reported
2022-05-17 12:12
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 860 created 1712 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe
"C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
rfusclient.exe -deploy
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
"C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe" -run_agent
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
"C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe -second
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe /tray /user
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| US | 8.8.8.8:53 | rms.ecomeds.ru | udp |
| RU | 95.143.15.215:5655 | rms.ecomeds.ru | tcp |
| US | 8.8.8.8:53 | t2.symcb.com | udp |
| DE | 23.37.43.27:80 | t2.symcb.com | tcp |
| US | 8.8.8.8:53 | tl.symcd.com | udp |
| DE | 23.37.43.27:80 | tl.symcd.com | tcp |
| NL | 20.190.160.69:443 | tcp | |
| NL | 20.190.160.69:443 | tcp | |
| US | 20.189.173.4:443 | tcp | |
| NL | 20.190.160.6:443 | tcp | |
| NL | 20.190.160.6:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.123.41.162:80 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp |
Files
memory/3096-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd
| MD5 | 9b7ac054975f8f7b6fe9a41a18e2d6e7 |
| SHA1 | d820008d3732f37a7e4030c4bd414e3764de1af7 |
| SHA256 | 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255 |
| SHA512 | 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9 |
memory/2892-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini
| MD5 | 6b948f51b8645b3a315a5466b615e3c7 |
| SHA1 | e96926a39e6a41f1dd40a564d0cfa80edd6e70a4 |
| SHA256 | ee7c0246e8c9f100c7acbd09bed0d7633f4f9bd9095c56fc6f64c74c83d61768 |
| SHA512 | 674ed59e744e99f492d576eb8c1736e0d4b34c9a25fe87fb4dbae4c7fb76c1a45731a3f4eb7823eaae0567da269d6041706b06782047dd1b5ad9c6b494c649cd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png
| MD5 | 8c36cac6a4b532366bd357139715f64f |
| SHA1 | a05f193ccb47474323598df7325a9cf2400da91c |
| SHA256 | 49529ab38016ca0fa715456b0eed7569741b7370f0bb828b6d21edcdd8730b0a |
| SHA512 | eaa525dc4138b6df7f4cb24a37a413fe1446fb20b852fadc284ebd2636177900553e5794d2da0af3e6a33cf07b003359f0622477157f57587eb524494095e564 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf
| MD5 | c3d7db3461db0dbb8a1d2a937b1d6252 |
| SHA1 | 35fafe6c6812f20454c709b0a43a21bf7e9f66bf |
| SHA256 | cf8e39ce145e36d672cb2a140b3f33e0a1337975d7840e1d6a1920ce560bba46 |
| SHA512 | 9759895e5d4f289e6227f65f46b24ad7f2607443bebd9b039f1cf42bd74c986a597d5de4bef70510c4463874a01695ca2f7ccbd231d6ef5316250d7492c48675 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg
| MD5 | 294227da6f9c610c49d38e3965bcdb71 |
| SHA1 | a6f694235a68fe35ece21d39e736e16053f4b91d |
| SHA256 | 55fb4c823838b383d077b5c45df2be5fa47abc798054701c23fde5f312379755 |
| SHA512 | 0f3661ca19385d08bbee4419178f7bf9ee7701385c981b94fe81a60438f486c8bea2c048b1bdaf1387265e2d4a1ed4cec2558b7f7fa6d69916c5abbb0b7689a9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt
| MD5 | 90b15937ff9ec75f7016e171bd1261ce |
| SHA1 | 3fa80c58e8bf6c3ab356047cfaa14187328c3732 |
| SHA256 | eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a |
| SHA512 | 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll
| MD5 | 59068498190113e051d94fd0b5ef98aa |
| SHA1 | 6b64bb29763c43a86a4be87fcbc94b2f4697ced3 |
| SHA256 | 097c87769734699254c4f85a6268539c2d90245650930f44d245e75bcc4a3e46 |
| SHA512 | f7093d9b544fcbd3d7336b42eb9c79e17aa2b01910b3a1a23e23036d6230116e1dc3bde0602ab18efcd53c184c77d57348b2dea889c313a4a605d0714ec35ef8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Russian.lg
| MD5 | cc99020d311e97d6127ab9ddd44c980b |
| SHA1 | 57746de06ba0f206f6ef34c453b5d5cc1f00e136 |
| SHA256 | 37c133f5c437a56c85ee3ca4c921f61c4532b375975c2b2dd9b4b5983e51c66b |
| SHA512 | 4122f3ef2e454382967ab3ac4e7d5f44f5156b0a97e6ebe98467d399a4281a72bc1a87f26b7f67893a64dbcb6d34e1b7775effaff969e87873b42c43eca336fa |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll
| MD5 | 56c10161ff350d143fe51affe777d19f |
| SHA1 | 54abec9bcf95904b666fa5dbdc9b976acb59e79d |
| SHA256 | 4d4dd771e72a4654063dfb06dafef1fd0701ed93c407e68b0f10782e453564c8 |
| SHA512 | 229fdf7503f76ed00f05711c58d1978df9327b085c750873714a52e10db7d53bc702e800d280bb086faa3b360f0b2eecf7aa953b0f9ed1be7eabdd9793493d85 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll
| MD5 | 5308b9945e348fbe3a480be06885434c |
| SHA1 | 5c3cb39686cca3e9586e4b405fc8e1853caaf8ff |
| SHA256 | 9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a |
| SHA512 | 4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll
| MD5 | 7a9eeac3ceaf7f95f44eb5c57b4db2e3 |
| SHA1 | be1048c254aa3114358f76d08c55667c4bf2d382 |
| SHA256 | b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88 |
| SHA512 | b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll
| MD5 | d29f7070ee379544aeb19913621c88e6 |
| SHA1 | 499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be |
| SHA256 | 654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf |
| SHA512 | 4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll
| MD5 | 89770647609ac26c1bbd9cf6ed50954e |
| SHA1 | 349eed120070bab7e96272697b39e786423ac1d3 |
| SHA256 | 7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4 |
| SHA512 | a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll
| MD5 | 1ea62293ac757a0c2b64e632f30db636 |
| SHA1 | 8c8ac6f8f28f432a514c3a43ea50c90daf66bfba |
| SHA256 | 970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df |
| SHA512 | 857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat
| MD5 | b16ea675ebd94251048b55bfb0fc9c2a |
| SHA1 | b39e923cfeca6d05de88f3a815af42cc754905af |
| SHA256 | 5b13a17d77f6f8eec9f20c3155bfdc39d09c5b668929fc46295b480b896851b0 |
| SHA512 | 03636f9c47bb0c85ce76b3a6439da42ec94c9417dffeebe292566bda2620f31d4b0836fe38bfb5e4d3299d192a6aa34eed867bc1f8ba050dad344ddbe30c2959 |
memory/2156-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
memory/1712-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
memory/4964-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
| MD5 | d10dae1197db0b694c832ae512b34024 |
| SHA1 | 24757c07c814d53ded645547bc53e29c98919077 |
| SHA256 | 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be |
| SHA512 | f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e |
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |
memory/3496-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
| MD5 | b274f6fe4595bd970e2a14ca27c0ed51 |
| SHA1 | 1829e2c4c725e363b566dd0267265dd84f3f924d |
| SHA256 | 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0 |
| SHA512 | 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de |