Malware Analysis Report

2024-11-13 16:21

Sample ID 220517-pb1wyseccm
Target B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe
SHA256 b55cf23b9c1295cb522a86734d55de3a3263e63fc58bb4004de54fd4475c531e
Tags
rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b55cf23b9c1295cb522a86734d55de3a3263e63fc58bb4004de54fd4475c531e

Threat Level: Known bad

The file B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe was found to be: Known bad.

Malicious Activity Summary

rms rat trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

RMS

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-17 12:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-17 12:10

Reported

2022-05-17 12:12

Platform

win7-20220414-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe"

Signatures

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1892 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1892 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1892 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 1692 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 1692 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 1692 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 1692 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 1852 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 1852 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 1852 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 1852 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 776 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 776 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 776 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 776 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe

"C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

rfusclient.exe -deploy

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe"

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe /tray /user

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 t2.symcb.com udp
DE 23.37.43.27:80 t2.symcb.com tcp
US 8.8.8.8:53 rms.ecomeds.ru udp
US 8.8.8.8:53 tl.symcd.com udp
DE 23.37.43.27:80 tl.symcd.com tcp
RU 95.143.15.215:5655 rms.ecomeds.ru tcp

Files

memory/960-54-0x0000000075801000-0x0000000075803000-memory.dmp

memory/1892-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 9b7ac054975f8f7b6fe9a41a18e2d6e7
SHA1 d820008d3732f37a7e4030c4bd414e3764de1af7
SHA256 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255
SHA512 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

memory/1692-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

MD5 294227da6f9c610c49d38e3965bcdb71
SHA1 a6f694235a68fe35ece21d39e736e16053f4b91d
SHA256 55fb4c823838b383d077b5c45df2be5fa47abc798054701c23fde5f312379755
SHA512 0f3661ca19385d08bbee4419178f7bf9ee7701385c981b94fe81a60438f486c8bea2c048b1bdaf1387265e2d4a1ed4cec2558b7f7fa6d69916c5abbb0b7689a9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

MD5 c3d7db3461db0dbb8a1d2a937b1d6252
SHA1 35fafe6c6812f20454c709b0a43a21bf7e9f66bf
SHA256 cf8e39ce145e36d672cb2a140b3f33e0a1337975d7840e1d6a1920ce560bba46
SHA512 9759895e5d4f289e6227f65f46b24ad7f2607443bebd9b039f1cf42bd74c986a597d5de4bef70510c4463874a01695ca2f7ccbd231d6ef5316250d7492c48675

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

MD5 8c36cac6a4b532366bd357139715f64f
SHA1 a05f193ccb47474323598df7325a9cf2400da91c
SHA256 49529ab38016ca0fa715456b0eed7569741b7370f0bb828b6d21edcdd8730b0a
SHA512 eaa525dc4138b6df7f4cb24a37a413fe1446fb20b852fadc284ebd2636177900553e5794d2da0af3e6a33cf07b003359f0622477157f57587eb524494095e564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

MD5 90b15937ff9ec75f7016e171bd1261ce
SHA1 3fa80c58e8bf6c3ab356047cfaa14187328c3732
SHA256 eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a
SHA512 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Russian.lg

MD5 cc99020d311e97d6127ab9ddd44c980b
SHA1 57746de06ba0f206f6ef34c453b5d5cc1f00e136
SHA256 37c133f5c437a56c85ee3ca4c921f61c4532b375975c2b2dd9b4b5983e51c66b
SHA512 4122f3ef2e454382967ab3ac4e7d5f44f5156b0a97e6ebe98467d399a4281a72bc1a87f26b7f67893a64dbcb6d34e1b7775effaff969e87873b42c43eca336fa

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

MD5 59068498190113e051d94fd0b5ef98aa
SHA1 6b64bb29763c43a86a4be87fcbc94b2f4697ced3
SHA256 097c87769734699254c4f85a6268539c2d90245650930f44d245e75bcc4a3e46
SHA512 f7093d9b544fcbd3d7336b42eb9c79e17aa2b01910b3a1a23e23036d6230116e1dc3bde0602ab18efcd53c184c77d57348b2dea889c313a4a605d0714ec35ef8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

MD5 6b948f51b8645b3a315a5466b615e3c7
SHA1 e96926a39e6a41f1dd40a564d0cfa80edd6e70a4
SHA256 ee7c0246e8c9f100c7acbd09bed0d7633f4f9bd9095c56fc6f64c74c83d61768
SHA512 674ed59e744e99f492d576eb8c1736e0d4b34c9a25fe87fb4dbae4c7fb76c1a45731a3f4eb7823eaae0567da269d6041706b06782047dd1b5ad9c6b494c649cd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

MD5 89770647609ac26c1bbd9cf6ed50954e
SHA1 349eed120070bab7e96272697b39e786423ac1d3
SHA256 7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4
SHA512 a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

MD5 5308b9945e348fbe3a480be06885434c
SHA1 5c3cb39686cca3e9586e4b405fc8e1853caaf8ff
SHA256 9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a
SHA512 4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

MD5 7a9eeac3ceaf7f95f44eb5c57b4db2e3
SHA1 be1048c254aa3114358f76d08c55667c4bf2d382
SHA256 b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88
SHA512 b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

MD5 d29f7070ee379544aeb19913621c88e6
SHA1 499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be
SHA256 654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf
SHA512 4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

MD5 1ea62293ac757a0c2b64e632f30db636
SHA1 8c8ac6f8f28f432a514c3a43ea50c90daf66bfba
SHA256 970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df
SHA512 857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

MD5 b16ea675ebd94251048b55bfb0fc9c2a
SHA1 b39e923cfeca6d05de88f3a815af42cc754905af
SHA256 5b13a17d77f6f8eec9f20c3155bfdc39d09c5b668929fc46295b480b896851b0
SHA512 03636f9c47bb0c85ce76b3a6439da42ec94c9417dffeebe292566bda2620f31d4b0836fe38bfb5e4d3299d192a6aa34eed867bc1f8ba050dad344ddbe30c2959

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

MD5 56c10161ff350d143fe51affe777d19f
SHA1 54abec9bcf95904b666fa5dbdc9b976acb59e79d
SHA256 4d4dd771e72a4654063dfb06dafef1fd0701ed93c407e68b0f10782e453564c8
SHA512 229fdf7503f76ed00f05711c58d1978df9327b085c750873714a52e10db7d53bc702e800d280bb086faa3b360f0b2eecf7aa953b0f9ed1be7eabdd9793493d85

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

memory/1852-79-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

memory/1180-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

memory/1620-92-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-17 12:10

Reported

2022-05-17 12:12

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe"

Signatures

RMS

trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 860 created 1712 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 3096 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 3096 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe
PID 2892 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 2892 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 2892 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 2156 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 2156 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 2156 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 860 wrote to memory of 4964 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 860 wrote to memory of 4964 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 860 wrote to memory of 4964 N/A C:\Windows\system32\svchost.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe
PID 4964 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 4964 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe
PID 4964 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

Processes

C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe

"C:\Users\Admin\AppData\Local\Temp\B55CF23B9C1295CB522A86734D55DE3A3263E63FC58BB.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

rfusclient.exe -deploy

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

"C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe" -run_agent

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

"C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe -second

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe /tray /user

Network

Country Destination Domain Proto
NL 20.190.160.136:443 tcp
NL 20.190.160.136:443 tcp
US 8.8.8.8:53 rms.ecomeds.ru udp
RU 95.143.15.215:5655 rms.ecomeds.ru tcp
US 8.8.8.8:53 t2.symcb.com udp
DE 23.37.43.27:80 t2.symcb.com tcp
US 8.8.8.8:53 tl.symcd.com udp
DE 23.37.43.27:80 tl.symcd.com tcp
NL 20.190.160.69:443 tcp
NL 20.190.160.69:443 tcp
US 20.189.173.4:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.2:443 tcp
NL 104.110.191.133:80 tcp
NL 104.123.41.162:80 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.4:443 tcp
NL 20.190.160.4:443 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.71:443 tcp

Files

memory/3096-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 9b7ac054975f8f7b6fe9a41a18e2d6e7
SHA1 d820008d3732f37a7e4030c4bd414e3764de1af7
SHA256 815255a94853b2677f84ad15ff188f66a7e1ccd700bc7bf94afa05e2f4992255
SHA512 806d3161399eef58c87e7a14b850641c025bd0bfd98b827a16c2323402fc67a11db0b6714887d4a3be029f383ba9bdb75993b86d406208bc295b63f15f969cc9

memory/2892-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\branding.ini

MD5 6b948f51b8645b3a315a5466b615e3c7
SHA1 e96926a39e6a41f1dd40a564d0cfa80edd6e70a4
SHA256 ee7c0246e8c9f100c7acbd09bed0d7633f4f9bd9095c56fc6f64c74c83d61768
SHA512 674ed59e744e99f492d576eb8c1736e0d4b34c9a25fe87fb4dbae4c7fb76c1a45731a3f4eb7823eaae0567da269d6041706b06782047dd1b5ad9c6b494c649cd

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\logo.png

MD5 8c36cac6a4b532366bd357139715f64f
SHA1 a05f193ccb47474323598df7325a9cf2400da91c
SHA256 49529ab38016ca0fa715456b0eed7569741b7370f0bb828b6d21edcdd8730b0a
SHA512 eaa525dc4138b6df7f4cb24a37a413fe1446fb20b852fadc284ebd2636177900553e5794d2da0af3e6a33cf07b003359f0622477157f57587eb524494095e564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EULA.rtf

MD5 c3d7db3461db0dbb8a1d2a937b1d6252
SHA1 35fafe6c6812f20454c709b0a43a21bf7e9f66bf
SHA256 cf8e39ce145e36d672cb2a140b3f33e0a1337975d7840e1d6a1920ce560bba46
SHA512 9759895e5d4f289e6227f65f46b24ad7f2607443bebd9b039f1cf42bd74c986a597d5de4bef70510c4463874a01695ca2f7ccbd231d6ef5316250d7492c48675

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\English.lg

MD5 294227da6f9c610c49d38e3965bcdb71
SHA1 a6f694235a68fe35ece21d39e736e16053f4b91d
SHA256 55fb4c823838b383d077b5c45df2be5fa47abc798054701c23fde5f312379755
SHA512 0f3661ca19385d08bbee4419178f7bf9ee7701385c981b94fe81a60438f486c8bea2c048b1bdaf1387265e2d4a1ed4cec2558b7f7fa6d69916c5abbb0b7689a9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.txt

MD5 90b15937ff9ec75f7016e171bd1261ce
SHA1 3fa80c58e8bf6c3ab356047cfaa14187328c3732
SHA256 eb35f14c5463a76bdeef12596c09894e137cd40d0998d2a717ae2d1f572bc37a
SHA512 993aa4eb890a79c469849cf3b55e474def3b14beb72ca4785de38976b753a2aface4bb6b45515f9d7cfe2a99e11d530f694a2d95625c3bb16ae70740509ba95a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RIPCServer.dll

MD5 59068498190113e051d94fd0b5ef98aa
SHA1 6b64bb29763c43a86a4be87fcbc94b2f4697ced3
SHA256 097c87769734699254c4f85a6268539c2d90245650930f44d245e75bcc4a3e46
SHA512 f7093d9b544fcbd3d7336b42eb9c79e17aa2b01910b3a1a23e23036d6230116e1dc3bde0602ab18efcd53c184c77d57348b2dea889c313a4a605d0714ec35ef8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Russian.lg

MD5 cc99020d311e97d6127ab9ddd44c980b
SHA1 57746de06ba0f206f6ef34c453b5d5cc1f00e136
SHA256 37c133f5c437a56c85ee3ca4c921f61c4532b375975c2b2dd9b4b5983e51c66b
SHA512 4122f3ef2e454382967ab3ac4e7d5f44f5156b0a97e6ebe98467d399a4281a72bc1a87f26b7f67893a64dbcb6d34e1b7775effaff969e87873b42c43eca336fa

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RWLN.dll

MD5 56c10161ff350d143fe51affe777d19f
SHA1 54abec9bcf95904b666fa5dbdc9b976acb59e79d
SHA256 4d4dd771e72a4654063dfb06dafef1fd0701ed93c407e68b0f10782e453564c8
SHA512 229fdf7503f76ed00f05711c58d1978df9327b085c750873714a52e10db7d53bc702e800d280bb086faa3b360f0b2eecf7aa953b0f9ed1be7eabdd9793493d85

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisencoder.dll

MD5 5308b9945e348fbe3a480be06885434c
SHA1 5c3cb39686cca3e9586e4b405fc8e1853caaf8ff
SHA256 9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a
SHA512 4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmvorbisdecoder.dll

MD5 7a9eeac3ceaf7f95f44eb5c57b4db2e3
SHA1 be1048c254aa3114358f76d08c55667c4bf2d382
SHA256 b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88
SHA512 b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\webmmux.dll

MD5 d29f7070ee379544aeb19913621c88e6
SHA1 499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be
SHA256 654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf
SHA512 4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll

MD5 89770647609ac26c1bbd9cf6ed50954e
SHA1 349eed120070bab7e96272697b39e786423ac1d3
SHA256 7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4
SHA512 a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll

MD5 1ea62293ac757a0c2b64e632f30db636
SHA1 8c8ac6f8f28f432a514c3a43ea50c90daf66bfba
SHA256 970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df
SHA512 857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

MD5 b16ea675ebd94251048b55bfb0fc9c2a
SHA1 b39e923cfeca6d05de88f3a815af42cc754905af
SHA256 5b13a17d77f6f8eec9f20c3155bfdc39d09c5b668929fc46295b480b896851b0
SHA512 03636f9c47bb0c85ce76b3a6439da42ec94c9417dffeebe292566bda2620f31d4b0836fe38bfb5e4d3299d192a6aa34eed867bc1f8ba050dad344ddbe30c2959

memory/2156-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

memory/1712-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

memory/4964-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rutserv.exe

MD5 d10dae1197db0b694c832ae512b34024
SHA1 24757c07c814d53ded645547bc53e29c98919077
SHA256 74892811c87f574aea6d8b3a5419845a58096deaece96a9c6f06e5ad4f8859be
SHA512 f968b9084c51aa3b4f24cf99ee0d354f323d435ad7c15a884bf16dc3b8d67f721d4c7bb5f111a44033a15d820f58e813e0dccbf1f84bd3ca736a0c57bd98395e

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de

memory/3496-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RMS-Agent\68001\D12D2E4C77\rfusclient.exe

MD5 b274f6fe4595bd970e2a14ca27c0ed51
SHA1 1829e2c4c725e363b566dd0267265dd84f3f924d
SHA256 6a285042cf70fc2087c828891d17cc33b33902943a74fec778dc88420ebd05a0
SHA512 237d524b345cff6c28bba6aec5e28d3edfc48be04277e0157ede932c857797eac1670cdb1a4979f40f19c3e6635335c944fca03f8c446570c39f5fd5ef8379de