Malware analysis RDM_Root_Cert_Update_Windows 1.zip Malicious activity

Add for printing

File name:	RDM_Root_Cert_Update_Windows 1.zip
Full analysis:	https://app.any.run/tasks/47356c5e-78c5-4ca4-9e7e-1fa8a511b81d
Verdict:	Malicious activity
Analysis date:	July 22, 2024, 15:22:45
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	4712C264C63CDA22C8BA1BC7D2E202BC
SHA1:	05460A4BA8FC1515FF858584C83955855D6446A6
SHA256:	2D46FF3CBAC2B089B1382DD24565E68BFDAC0F627231DAB1B6552A1B3C2B4132
SSDEEP:	98304:gi3H0pQbmWqNfPGo5XhVyB5MmZ87iA6COH7ZIfKE2vxFZZixOGk2l8/Zx24/6Ijy:ZsBzZuHqj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 3800)
  - RDM_Root_Cert_Update_Windows.exe (PID: 7368)
  - RDM_Root_Cert_Update_Windows.exe (PID: 5660)
  - RDM_ROOTCERTIFICATE.exe (PID: 3408)
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4888)
- Starts NET.EXE for service management
  - net.exe (PID: 8016)
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4888)
  - net.exe (PID: 2868)
  - net.exe (PID: 6892)
  - net.exe (PID: 7100)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4984)
- Executable content was dropped or overwritten
  - RDM_Root_Cert_Update_Windows.exe (PID: 7368)
  - RDM_Root_Cert_Update_Windows.exe (PID: 5660)
  - RDM_ROOTCERTIFICATE.exe (PID: 3408)
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4888)
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
- Reads the date of Windows installation
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4984)
- Reads the Windows owner or organization settings
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4888)
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
- Process drops legitimate windows executable
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
- Executing commands from a ".bat" file
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 4808)
  - cmd.exe (PID: 6764)
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
- The executable file from the user directory is run by the CMD process
  - certmgr.exe (PID: 7544)
  - certmgr.exe (PID: 68)
- Starts a Microsoft application from unusual location
  - certmgr.exe (PID: 7544)
  - certmgr.exe (PID: 68)
  - certmgr.exe (PID: 4308)
- Adds/modifies Windows certificates
  - certmgr.exe (PID: 4308)
  - certutil.exe (PID: 2220)
- Application launched itself
  - cmd.exe (PID: 6764)
  - cmd.exe (PID: 4808)
INFO
- Checks supported languages
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4984)
  - RDM_Root_Cert_Update_Windows.exe (PID: 7368)
  - RDM_Root_Cert_Update_Windows.exe (PID: 5660)
  - RDM_ROOTCERTIFICATE.exe (PID: 3408)
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4888)
  - certmgr.exe (PID: 7544)
  - certmgr.exe (PID: 68)
  - certmgr.exe (PID: 4308)
- Manual execution by a user
  - RDM_Root_Cert_Update_Windows.exe (PID: 7368)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3800)
- Create files in a temporary directory
  - RDM_Root_Cert_Update_Windows.exe (PID: 7368)
  - RDM_Root_Cert_Update_Windows.exe (PID: 5660)
  - RDM_ROOTCERTIFICATE.exe (PID: 3408)
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4888)
- Process checks computer location settings
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4984)
- Reads the computer name
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4984)
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4888)
- Creates files in the program directory
  - RDM_Root_Cert_Update_Windows.tmp (PID: 4888)
  - certutil.exe (PID: 2220)
  - RDM_ROOTCERTIFICATE.tmp (PID: 5696)
- Reads the machine GUID from the registry
  - certmgr.exe (PID: 4308)
- Reads the software policy settings
  - certutil.exe (PID: 2220)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	51
ZipBitFlag:	0x0001
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:07:22 10:27:32
ZipCRC:	0x00000000
ZipCompressedSize:	3235497
ZipUncompressedSize:	3838992
ZipFileName:	RDM_Root_Cert_Update_Windows.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

172

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root

C:\Users\admin\AppData\Local\Temp\is-JMN6P.tmp\RdmCert\certmgr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

ECM Certificate Manager

Exit code:

4294967295

Version:

5.131.1863.1

Modules

Images
c:\users\admin\appdata\local\temp\is-jmn6p.tmp\rdmcert\certmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

684

C:\WINDOWS\system32\cmd.exe /S /D /c" echo 1 "

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1320

certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\i17fj4h8.default\." -i "C:\Users\admin\AppData\Local\Temp\is-JMN6P.tmp\RdmCert\RDM_RootCA.pem"

C:\Windows\SysWOW64\certutil.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

CertUtil.exe

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2220

"C:\WINDOWS\system32/certutil.exe" –f –p rdm736 –importpfx "C:\Users\admin\AppData\Local\Temp\is-JMN6P.tmp\RdmCert\rdm.pfx"

C:\Windows\SysWOW64\certutil.exe

—

RDM_ROOTCERTIFICATE.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

CertUtil.exe

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2276

C:\WINDOWS\system32\net1 start "Embedthis Rdmappweb"

C:\Windows\SysWOW64\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

2356

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2360

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

certmgr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2868

"C:\WINDOWS\system32\net.exe" start "RDMAppweb"

C:\Windows\SysWOW64\net.exe

—

RDM_Root_Cert_Update_Windows.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3408

"C:\Users\admin\AppData\Local\Temp\is-GEG8I.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT

C:\Users\admin\AppData\Local\Temp\is-GEG8I.tmp\RDM_ROOTCERTIFICATE.exe

RDM_Root_Cert_Update_Windows.tmp

User:

admin

Company:

RDM Corporation

Integrity Level:

HIGH

Description:

RDM ROOT CERTIFICATE Setup

Exit code:

Version:

2.0.0.3

Modules

Images
c:\users\admin\appdata\local\temp\is-geg8i.tmp\rdm_rootcertificate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3724

C:\WINDOWS\system32\cmd.exe /c dir /B "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

18 922

Read events

18 842

Write events

Delete events

Modification events


(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\RDM_Root_Cert_Update_Windows 1.zip
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(4888) RDM_Root_Cert_Update_Windows.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 181300002B53D8124BDCDA01

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4888	RDM_Root_Cert_Update_Windows.tmp	C:\Users\admin\AppData\Local\Temp\is-GEG8I.tmp\is-NIJBM.tmp		executable
		MD5:5DAEC5D62A1B06418E5EAE25B7857748	SHA256:9F395107A54B5393D98B7AA5D4A039D32BE780E691CACF75EF7D4CE58D074D83
4888	RDM_Root_Cert_Update_Windows.tmp	C:\Users\admin\AppData\Local\Temp\is-GEG8I.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5660	RDM_Root_Cert_Update_Windows.exe	C:\Users\admin\AppData\Local\Temp\is-GH7IL.tmp\RDM_Root_Cert_Update_Windows.tmp		executable
		MD5:A5388235BBD3513D95A2A5C172A55680	SHA256:109DFA3633727AEE046973A9D59DFD493C4F4EDFA50BCBCC37999C4BF020550F
3408	RDM_ROOTCERTIFICATE.exe	C:\Users\admin\AppData\Local\Temp\is-2F8SI.tmp\RDM_ROOTCERTIFICATE.tmp		executable
		MD5:05CB53C8116FA798AB00B737F7B94015	SHA256:41355B9DE8550C19DE59BA6555BAC91BCCA1529F0EABFF8C239A7B151F4012EB
7368	RDM_Root_Cert_Update_Windows.exe	C:\Users\admin\AppData\Local\Temp\is-P4KTT.tmp\RDM_Root_Cert_Update_Windows.tmp		executable
		MD5:A5388235BBD3513D95A2A5C172A55680	SHA256:109DFA3633727AEE046973A9D59DFD493C4F4EDFA50BCBCC37999C4BF020550F
5696	RDM_ROOTCERTIFICATE.tmp	C:\Users\admin\AppData\Local\Temp\is-JMN6P.tmp\RdmCert\AddCert.bat		text
		MD5:0A7F6C64EEF31DDB78A7EA184A1E526C	SHA256:FDCDD7E21E9CCEDACB8BFC166FD945F2CB08979682BD15E70A88BBAAC48714EA
5696	RDM_ROOTCERTIFICATE.tmp	C:\Users\admin\AppData\Local\Temp\is-JMN6P.tmp\RdmCert\certmgr.exe		executable
		MD5:5D077A0CDD077C014EEDB768FEB249BA	SHA256:8A830C48C4D78159DD80F4DAD81C0BEBBF9314710026B1A2EF0FFDDDCB24B83D
5696	RDM_ROOTCERTIFICATE.tmp	C:\Users\admin\AppData\Local\Temp\is-JMN6P.tmp\RdmCert\is-KCB01.tmp		text
		MD5:9556062A739F56D168C1581A11192A17	SHA256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
5696	RDM_ROOTCERTIFICATE.tmp	C:\Users\admin\AppData\Local\Temp\is-JMN6P.tmp\RdmCert\is-6SB8C.tmp		text
		MD5:0A7F6C64EEF31DDB78A7EA184A1E526C	SHA256:FDCDD7E21E9CCEDACB8BFC166FD945F2CB08979682BD15E70A88BBAAC48714EA
5696	RDM_ROOTCERTIFICATE.tmp	C:\Users\admin\AppData\Local\Temp\is-JMN6P.tmp\RdmCert\certremoval.bat		text
		MD5:E8C0E44371C4EDCC8908173BB91CA75C	SHA256:30AA7A6E165232DCA4B1B3ADF8C74BEA54A29686F8802C6DE92075EF53B5C1AA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
7856	svchost.exe	4.209.32.198:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4716	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5620	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.115.3.253:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2760	svchost.exe	40.115.3.253:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2992	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7856	svchost.exe	4.209.33.156:443	licensing.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
login.live.com	40.126.31.71 20.190.159.64 20.190.159.0 20.190.159.23 40.126.31.73 20.190.159.68 20.190.159.73 20.190.159.75	whitelisted
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	142.250.185.174	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
licensing.mp.microsoft.com	4.209.33.156	whitelisted
arc.msn.com	20.223.35.26	whitelisted
www.bing.com	184.86.251.13 184.86.251.15 184.86.251.19 184.86.251.10 184.86.251.17 184.86.251.11 184.86.251.9 184.86.251.8 184.86.251.16	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

RDM_Root_Cert_Update_Windows 1.zip

4712C264C63CDA22C8BA1BC7D2E202BC

05460A4BA8FC1515FF858584C83955855D6446A6

2D46FF3CBAC2B089B1382DD24565E68BFDAC0F627231DAB1B6552A1B3C2B4132

98304:gi3H0pQbmWqNfPGo5XhVyB5MmZ87iA6COH7ZIfKE2vxFZZixOGk2l8/Zx24/6Ijy:ZsBzZuHqj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Starts NET.EXE for service management

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Starts a Microsoft application from unusual location

Adds/modifies Windows certificates

Application launched itself

INFO

Checks supported languages

Manual execution by a user

Executable content was dropped or overwritten

Create files in a temporary directory

Process checks computer location settings

Reads the computer name

Creates files in the program directory

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings