Malware analysis pasmmm.exe Malicious activity | ANY.RUN

Add for printing

File name:	pasmmm.exe
Full analysis:	https://app.any.run/tasks/48788144-59bc-4583-a32a-52911a74fdb0
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	May 20, 2019, 13:46:05
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	rat rms
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	93235A1D2D3AB3B61B292290DC901EC9
SHA1:	434E10019948446DDBE40F29225DAC38012308C0
SHA256:	69AE35457E2E8AE7EF51C725A7C2D9EFAC00A53F439A928E5540551C048F01CB
SSDEEP:	49152:sIWB74MncmEWy4i1LkjoAwG2PI/mfqtftvMKcr+7Ao95xQW1vB38PELaacVzWTV3:sICtHsJoMAwG24m4f2Kcrsb9rfUAV3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - uninstall.exe (PID: 3052)
  - exit.exe (PID: 252)
  - veter1605_MAPS_10cr0.exe (PID: 3832)
  - exit.exe (PID: 4088)
  - winserv.exe (PID: 3716)
- Loads dropped or rewritten executable
  - cmd.exe (PID: 3096)
  - taskkill.exe (PID: 1548)
  - taskkill.exe (PID: 2236)
  - taskkill.exe (PID: 3732)
  - taskkill.exe (PID: 2908)
  - taskkill.exe (PID: 2992)
  - taskkill.exe (PID: 1152)
  - taskkill.exe (PID: 2448)
  - taskkill.exe (PID: 3172)
  - windanr.exe (PID: 3148)
  - taskkill.exe (PID: 1548)
  - taskkill.exe (PID: 3436)
  - taskkill.exe (PID: 3200)
  - veter1605_MAPS_10cr0.exe (PID: 3832)
  - taskkill.exe (PID: 2568)
  - taskkill.exe (PID: 2116)
  - taskkill.exe (PID: 1512)
  - taskkill.exe (PID: 3324)
  - exit.exe (PID: 4088)
  - taskkill.exe (PID: 1184)
  - taskkill.exe (PID: 3200)
  - winserv.exe (PID: 3716)
  - taskkill.exe (PID: 2308)
  - taskkill.exe (PID: 2176)
  - taskkill.exe (PID: 3168)
  - taskkill.exe (PID: 3380)
  - taskkill.exe (PID: 2808)
  - taskkill.exe (PID: 2264)
  - taskkill.exe (PID: 2108)
  - taskkill.exe (PID: 3680)
  - wmiprvse.exe (PID: 3076)
  - taskkill.exe (PID: 2216)
  - taskkill.exe (PID: 3916)
  - taskkill.exe (PID: 3176)
  - taskkill.exe (PID: 1080)
  - taskkill.exe (PID: 1924)
  - taskkill.exe (PID: 3424)
  - taskkill.exe (PID: 3432)
  - taskkill.exe (PID: 1040)
  - taskkill.exe (PID: 3268)
  - taskkill.exe (PID: 3736)
  - taskkill.exe (PID: 880)
  - taskkill.exe (PID: 3024)
  - taskkill.exe (PID: 3460)
  - taskkill.exe (PID: 3712)
  - taskkill.exe (PID: 2076)
  - taskkill.exe (PID: 1388)
  - taskkill.exe (PID: 3376)
  - taskkill.exe (PID: 3128)
  - taskkill.exe (PID: 3416)
  - taskkill.exe (PID: 2272)
  - PING.EXE (PID: 932)
  - taskkill.exe (PID: 2468)
  - taskkill.exe (PID: 1944)
  - cmd.exe (PID: 2776)
  - taskkill.exe (PID: 2272)
  - PING.EXE (PID: 2816)
  - taskkill.exe (PID: 1344)
  - conhost.exe (PID: 2596)
  - taskkill.exe (PID: 3992)
  - taskkill.exe (PID: 584)
  - taskkill.exe (PID: 1568)
  - exit.exe (PID: 252)
  - taskkill.exe (PID: 2440)
  - taskkill.exe (PID: 964)
  - taskkill.exe (PID: 3444)
  - taskkill.exe (PID: 964)
  - taskkill.exe (PID: 1928)
  - taskkill.exe (PID: 3508)
  - taskkill.exe (PID: 3120)
  - taskkill.exe (PID: 2356)
  - uninstall.exe (PID: 3052)
  - taskkill.exe (PID: 3236)
  - taskkill.exe (PID: 2108)
  - taskkill.exe (PID: 640)
  - taskkill.exe (PID: 3016)
  - taskkill.exe (PID: 628)
  - taskkill.exe (PID: 3268)
  - conhost.exe (PID: 3884)
  - taskkill.exe (PID: 2960)
  - reg.exe (PID: 2684)
  - taskkill.exe (PID: 1388)
  - pasmmm.exe (PID: 1892)
  - taskkill.exe (PID: 3660)
  - taskkill.exe (PID: 1184)
  - taskkill.exe (PID: 1968)
  - taskkill.exe (PID: 2236)
  - taskkill.exe (PID: 3468)
  - taskkill.exe (PID: 1512)
  - taskkill.exe (PID: 2292)
  - taskkill.exe (PID: 3252)
  - taskkill.exe (PID: 3640)
  - taskkill.exe (PID: 3644)
  - taskkill.exe (PID: 3008)
  - taskkill.exe (PID: 2308)
  - taskkill.exe (PID: 3708)
  - taskkill.exe (PID: 3900)
  - taskkill.exe (PID: 3324)
  - taskkill.exe (PID: 3524)
  - taskkill.exe (PID: 2528)
  - taskkill.exe (PID: 2644)
  - taskkill.exe (PID: 860)
  - taskkill.exe (PID: 3732)
  - taskkill.exe (PID: 1260)
  - taskkill.exe (PID: 2284)
  - taskkill.exe (PID: 2736)
  - taskkill.exe (PID: 3276)
  - taskkill.exe (PID: 2488)
  - taskkill.exe (PID: 3128)
  - taskkill.exe (PID: 3384)
  - taskkill.exe (PID: 1664)
  - taskkill.exe (PID: 1332)
  - taskkill.exe (PID: 3848)
  - taskkill.exe (PID: 3648)
  - taskkill.exe (PID: 1796)
  - taskkill.exe (PID: 2640)
  - taskkill.exe (PID: 584)
  - taskkill.exe (PID: 3876)
  - taskkill.exe (PID: 3640)
  - taskkill.exe (PID: 2584)
  - taskkill.exe (PID: 3980)
  - taskkill.exe (PID: 2760)
  - taskkill.exe (PID: 3748)
  - taskkill.exe (PID: 2668)
  - taskkill.exe (PID: 2356)
  - taskkill.exe (PID: 1336)
  - taskkill.exe (PID: 3040)
  - taskkill.exe (PID: 1464)
  - taskkill.exe (PID: 3764)
  - taskkill.exe (PID: 2828)
  - taskkill.exe (PID: 2896)
  - taskkill.exe (PID: 3692)
  - taskkill.exe (PID: 2520)
  - taskkill.exe (PID: 856)
  - taskkill.exe (PID: 832)
  - taskkill.exe (PID: 3700)
  - taskkill.exe (PID: 3432)
  - taskkill.exe (PID: 3368)
  - taskkill.exe (PID: 1308)
  - taskkill.exe (PID: 2256)
  - taskkill.exe (PID: 2820)
  - taskkill.exe (PID: 3784)
  - taskkill.exe (PID: 1172)
  - taskkill.exe (PID: 2792)
  - taskkill.exe (PID: 3060)
  - taskkill.exe (PID: 1944)
  - taskkill.exe (PID: 1964)
  - taskkill.exe (PID: 2504)
  - taskkill.exe (PID: 3264)
  - taskkill.exe (PID: 3796)
  - taskkill.exe (PID: 3460)
  - taskkill.exe (PID: 3984)
  - taskkill.exe (PID: 1344)
  - taskkill.exe (PID: 3384)
  - taskkill.exe (PID: 3216)
  - taskkill.exe (PID: 2740)
  - taskkill.exe (PID: 3496)
  - taskkill.exe (PID: 2104)
  - taskkill.exe (PID: 1008)
  - taskkill.exe (PID: 936)
  - taskkill.exe (PID: 3464)
  - taskkill.exe (PID: 796)
  - taskkill.exe (PID: 3372)
  - taskkill.exe (PID: 2724)
  - taskkill.exe (PID: 2908)
  - taskkill.exe (PID: 2648)
  - taskkill.exe (PID: 2972)
  - taskkill.exe (PID: 2156)
  - taskkill.exe (PID: 276)
  - taskkill.exe (PID: 2060)
  - taskkill.exe (PID: 3812)
  - taskkill.exe (PID: 2808)
  - taskkill.exe (PID: 280)
  - taskkill.exe (PID: 796)
  - taskkill.exe (PID: 3692)
  - taskkill.exe (PID: 3516)
  - taskkill.exe (PID: 3164)
  - taskkill.exe (PID: 936)
  - taskkill.exe (PID: 2228)
  - taskkill.exe (PID: 3172)
  - taskkill.exe (PID: 856)
  - taskkill.exe (PID: 2220)
  - taskkill.exe (PID: 3316)
  - taskkill.exe (PID: 2120)
  - taskkill.exe (PID: 1080)
  - taskkill.exe (PID: 1880)
  - taskkill.exe (PID: 2284)
  - taskkill.exe (PID: 2656)
  - taskkill.exe (PID: 576)
  - taskkill.exe (PID: 2280)
  - taskkill.exe (PID: 1928)
  - taskkill.exe (PID: 2856)
  - taskkill.exe (PID: 3560)
  - taskkill.exe (PID: 2132)
  - taskkill.exe (PID: 3252)
  - taskkill.exe (PID: 3348)
  - taskkill.exe (PID: 3276)
  - taskkill.exe (PID: 2244)
  - taskkill.exe (PID: 3304)
  - taskkill.exe (PID: 3880)
  - taskkill.exe (PID: 3492)
  - taskkill.exe (PID: 2608)
  - taskkill.exe (PID: 3392)
  - taskkill.exe (PID: 3388)
  - taskkill.exe (PID: 3552)
  - taskkill.exe (PID: 3556)
  - taskkill.exe (PID: 3160)
  - taskkill.exe (PID: 2996)
  - taskkill.exe (PID: 3420)
  - taskkill.exe (PID: 3820)
  - taskkill.exe (PID: 3812)
  - taskkill.exe (PID: 2344)
  - taskkill.exe (PID: 3080)
  - taskkill.exe (PID: 2156)
  - taskkill.exe (PID: 3320)
  - taskkill.exe (PID: 3188)
  - taskkill.exe (PID: 2232)
  - taskkill.exe (PID: 3280)
  - taskkill.exe (PID: 3264)
  - taskkill.exe (PID: 2940)
  - taskkill.exe (PID: 2432)
  - taskkill.exe (PID: 3540)
  - taskkill.exe (PID: 2352)
  - taskkill.exe (PID: 2032)
  - taskkill.exe (PID: 3088)
  - taskkill.exe (PID: 3808)
  - taskkill.exe (PID: 3660)
  - taskkill.exe (PID: 1924)
  - taskkill.exe (PID: 3788)
  - taskkill.exe (PID: 3084)
  - taskkill.exe (PID: 2848)
  - taskkill.exe (PID: 3112)
  - taskkill.exe (PID: 1464)
  - taskkill.exe (PID: 3448)
  - taskkill.exe (PID: 2668)
  - taskkill.exe (PID: 3140)
  - taskkill.exe (PID: 3516)
  - taskkill.exe (PID: 576)
  - taskkill.exe (PID: 2952)
  - taskkill.exe (PID: 1032)
  - taskkill.exe (PID: 1100)
  - taskkill.exe (PID: 2136)
  - taskkill.exe (PID: 1836)
  - taskkill.exe (PID: 3816)
  - taskkill.exe (PID: 3180)
  - taskkill.exe (PID: 3396)
  - taskkill.exe (PID: 2724)
  - taskkill.exe (PID: 3024)
  - taskkill.exe (PID: 3672)
  - taskkill.exe (PID: 3232)
  - taskkill.exe (PID: 1276)
  - taskkill.exe (PID: 3904)
  - taskkill.exe (PID: 3588)
  - taskkill.exe (PID: 1012)
  - taskkill.exe (PID: 3092)
  - taskkill.exe (PID: 2928)
  - taskkill.exe (PID: 2352)
  - taskkill.exe (PID: 3968)
  - taskkill.exe (PID: 2936)
  - taskkill.exe (PID: 3624)
  - taskkill.exe (PID: 2292)
  - taskkill.exe (PID: 3236)
  - taskkill.exe (PID: 2752)
  - taskkill.exe (PID: 2232)
  - taskkill.exe (PID: 2676)
  - taskkill.exe (PID: 3648)
  - taskkill.exe (PID: 752)
  - taskkill.exe (PID: 2484)
  - taskkill.exe (PID: 2052)
  - taskkill.exe (PID: 1308)
  - taskkill.exe (PID: 3512)
  - taskkill.exe (PID: 3808)
  - taskkill.exe (PID: 2240)
  - taskkill.exe (PID: 3052)
  - taskkill.exe (PID: 1476)
  - taskkill.exe (PID: 3248)
  - taskkill.exe (PID: 2448)
  - taskkill.exe (PID: 2660)
  - taskkill.exe (PID: 2632)
  - taskkill.exe (PID: 3212)
  - taskkill.exe (PID: 928)
  - taskkill.exe (PID: 2848)
  - taskkill.exe (PID: 2116)
  - taskkill.exe (PID: 2088)
  - taskkill.exe (PID: 3452)
  - taskkill.exe (PID: 3116)
  - taskkill.exe (PID: 3784)
  - taskkill.exe (PID: 3224)
  - taskkill.exe (PID: 3084)
  - taskkill.exe (PID: 948)
  - taskkill.exe (PID: 2120)
  - taskkill.exe (PID: 2740)
  - taskkill.exe (PID: 1740)
  - taskkill.exe (PID: 3540)
  - taskkill.exe (PID: 3592)
  - taskkill.exe (PID: 2924)
  - taskkill.exe (PID: 1332)
  - taskkill.exe (PID: 404)
  - taskkill.exe (PID: 760)
  - taskkill.exe (PID: 3804)
  - taskkill.exe (PID: 2248)
  - taskkill.exe (PID: 3556)
  - taskkill.exe (PID: 2316)
  - taskkill.exe (PID: 900)
  - taskkill.exe (PID: 3300)
  - taskkill.exe (PID: 1560)
  - taskkill.exe (PID: 1276)
  - taskkill.exe (PID: 3176)
  - taskkill.exe (PID: 2584)
  - taskkill.exe (PID: 3572)
  - taskkill.exe (PID: 2244)
  - taskkill.exe (PID: 1708)
  - taskkill.exe (PID: 2752)
  - taskkill.exe (PID: 756)
  - taskkill.exe (PID: 1708)
  - taskkill.exe (PID: 3608)
  - taskkill.exe (PID: 880)
  - taskkill.exe (PID: 1484)
  - taskkill.exe (PID: 2476)
  - taskkill.exe (PID: 300)
  - taskkill.exe (PID: 676)
  - taskkill.exe (PID: 3064)
  - taskkill.exe (PID: 2540)
  - taskkill.exe (PID: 2336)
  - taskkill.exe (PID: 3896)
  - taskkill.exe (PID: 3152)
  - taskkill.exe (PID: 3300)
  - taskkill.exe (PID: 3976)
  - taskkill.exe (PID: 2952)
  - taskkill.exe (PID: 2476)
  - taskkill.exe (PID: 476)
  - taskkill.exe (PID: 1436)
  - taskkill.exe (PID: 2280)
  - taskkill.exe (PID: 3168)
  - taskkill.exe (PID: 3588)
  - taskkill.exe (PID: 3348)
  - taskkill.exe (PID: 3968)
  - taskkill.exe (PID: 2276)
  - taskkill.exe (PID: 2580)
  - taskkill.exe (PID: 2656)
  - taskkill.exe (PID: 3448)
  - taskkill.exe (PID: 2288)
  - taskkill.exe (PID: 2844)
  - taskkill.exe (PID: 852)
  - taskkill.exe (PID: 1812)
  - taskkill.exe (PID: 2192)
  - taskkill.exe (PID: 3828)
  - taskkill.exe (PID: 3480)
  - taskkill.exe (PID: 3544)
  - taskkill.exe (PID: 1260)
  - taskkill.exe (PID: 3088)
  - taskkill.exe (PID: 3608)
  - taskkill.exe (PID: 3380)
  - taskkill.exe (PID: 948)
  - taskkill.exe (PID: 2140)
  - taskkill.exe (PID: 3152)
  - taskkill.exe (PID: 1324)
  - taskkill.exe (PID: 2840)
- Changes the autorun value in the registry
  - reg.exe (PID: 2684)
- RMS RAT was detected
  - winserv.exe (PID: 3716)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - exit.exe (PID: 252)
  - exit.exe (PID: 4088)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 3096)
  - pasmmm.exe (PID: 1892)
  - uninstall.exe (PID: 3052)
  - veter1605_MAPS_10cr0.exe (PID: 3832)
- Uses REG.EXE to modify Windows registry
  - cmd.exe (PID: 2776)
- Creates files in the program directory
  - uninstall.exe (PID: 3052)
- Reads Environment values
  - winserv.exe (PID: 3716)
- Reads the machine GUID from the registry
  - winserv.exe (PID: 3716)
- Creates files in the user directory
  - winserv.exe (PID: 3716)
- Reads Windows Product ID
  - winserv.exe (PID: 3716)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 2776)
INFO
- Dropped object may contain Bitcoin addresses
  - pasmmm.exe (PID: 1892)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:02:24 20:03:26+01:00
PEType:	PE32
LinkerVersion:	14
CodeSize:	190976
InitializedDataSize:	194560
UninitializedDataSize:	-
EntryPoint:	0x1d779
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	24-Feb-2019 19:03:26
Detected languages:	English - United States
Debug artifacts:	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000110

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	6
Time date stamp:	24-Feb-2019 19:03:26
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0002E864	0x0002EA00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.69348
.rdata	0x00030000	0x00009AAC	0x00009C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.13383
.data	0x0003A000	0x000213D0	0x00000C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.24289
.gfids	0x0005C000	0x000000E8	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	2.09592
.rsrc	0x0005D000	0x00002439	0x00002600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.41453
.reloc	0x00060000	0x00001FD0	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.68736

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.09524	817	UNKNOWN	English - United States	RT_MANIFEST
2	4.81483	1384	UNKNOWN	English - United States	RT_ICON
3	3.76686	744	UNKNOWN	English - United States	RT_ICON
4	3.61407	2216	UNKNOWN	English - United States	RT_ICON
100	2.64576	62	UNKNOWN	English - United States	RT_GROUP_ICON
ASKNEXTVOL	3.42597	646	UNKNOWN	English - United States	RT_DIALOG
GETPASSWORD1	3.33944	314	UNKNOWN	English - United States	RT_DIALOG
LICENSEDLG	3.16133	236	UNKNOWN	English - United States	RT_DIALOG
RENAMEDLG	3.08925	302	UNKNOWN	English - United States	RT_DIALOG
REPLACEFILEDLG	3.31987	824	UNKNOWN	English - United States	RT_DIALOG

Imports


KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

393

Monitored processes

363

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1892	"C:\Users\admin\AppData\Local\Temp\pasmmm.exe"	C:\Users\admin\AppData\Local\Temp\pasmmm.exe		explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 0
252	"C:\Users\admin\AppData\Local\Temp\exit.exe"	C:\Users\admin\AppData\Local\Temp\exit.exe	—	pasmmm.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3096	cmd /c i.cmd	C:\Windows\system32\cmd.exe		exit.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2816	ping www.cloudflare.com -n 3 -w 3000	C:\Windows\system32\PING.EXE	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
932	ping www.cloudflare.com -n 3 -w 1000	C:\Windows\system32\PING.EXE	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3052	uninstall.exe x -pQELRatcwbU2EJ5 -y	C:\Users\admin\AppData\Local\Temp\uninstall.exe		cmd.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3832	veter1605_MAPS_10cr0.exe	C:\Users\admin\AppData\Local\Temp\veter1605_MAPS_10cr0.exe		cmd.exe
User: admin Company: Miranda IM Integrity Level: MEDIUM Description: Tile Textheight Clipbook Mostly Wading Exit code: 0 Version: 8.7.56.236
4088	"C:\ProgramData\Windows Anytime Upgrade\exit.exe"	C:\ProgramData\Windows Anytime Upgrade\exit.exe	—	uninstall.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2776	cmd /c i.cmd	C:\Windows\system32\cmd.exe	—	exit.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2684	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Anytime Upgrade" /t REG_SZ /d "C:\ProgramData\Windows Anytime Upgrade\winserv.exe"	C:\Windows\system32\reg.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 445

Read events

1 409

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3052	uninstall.exe	C:\ProgramData\Windows Anytime Upgrade\settings.dat		binary
		MD5:46FF979A07CD2721DC14DA7EDF386AD7	SHA256:210BB55664D291D82B94B9CEA6FCF41029EDED9ECA6E7FE7B7D58715407A0703
3052	uninstall.exe	C:\ProgramData\Windows Anytime Upgrade\i.cmd		text
		MD5:4957715BBD77615B43F5A409D4687033	SHA256:4A113391615785F0C4E358938EEA2061040941DCD3CB09658D174A60AB683CF1
1892	pasmmm.exe	C:\Users\admin\AppData\Local\Temp\exit.exe		executable
		MD5:E488DECBB44AD1A3430E82B57A70615E	SHA256:FD701894E7EC8D8319BC9B32BBA5892B11BDF608C3D04C2F18EFF83419EB6DF0
3052	uninstall.exe	C:\ProgramData\Windows Anytime Upgrade\exit.exe		executable
		MD5:E488DECBB44AD1A3430E82B57A70615E	SHA256:FD701894E7EC8D8319BC9B32BBA5892B11BDF608C3D04C2F18EFF83419EB6DF0
3716	winserv.exe	C:\Users\admin\AppData\Roaming\RMS_settings\Logs\rms_log_2019-05.html		html
		MD5:85710B0C45433D21FE07F49362975F66	SHA256:117C01360F89CAB4050B0F46BE1DC1D9B06E7EEC4C0108A02839309B51A70DC3
1892	pasmmm.exe	C:\Users\admin\AppData\Local\Temp\i.cmd		text
		MD5:E8E66827FFE84E0C28A2EB6A5073354F	SHA256:C69CE39AC3E178A89076136AF7418C6CB664844B0CE5CB643912ED56C373A08A
1892	pasmmm.exe	C:\Users\admin\AppData\Local\Temp\veter1605_MAPS_10cr0.exe		executable
		MD5:6DF420B5D8BDDB0F5FFE3EDCC9A4464B	SHA256:1EE1BA514212F11A69D002005DFC623B1871CC808F18DDFA2191102BBB9F623B
3052	uninstall.exe	C:\ProgramData\Windows Anytime Upgrade\winserv.exe		executable
		MD5:CF2AB077A46219B6CE4A53517DD489EA	SHA256:609B0A416F9B16A6DF9B967DC32CD739402AF31566E019A8FB8ABDF3CB573E30
3832	veter1605_MAPS_10cr0.exe	C:\Users\admin\AppData\Local\Temp\1D86.tmp		executable
		MD5:ED60C95C805DBAEE92C90C3AB930085A	SHA256:D35574D2CC42B4EDBF217A86639864422FBE02443250A36EB2CD11B22F165C39
1892	pasmmm.exe	C:\Users\admin\AppData\Local\Temp\kernel.dll		executable
		MD5:9F63EF6993F98DDD56E1E2CDF2D67B27	SHA256:5310C2397BA4C783F7EE9724711A6DA9B5C603B5C9781FFF3407B46725E338B3

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3716	winserv.exe	217.12.201.159:5655	—	ITL Company	NL	suspicious

DNS requests

Domain	IP	Reputation
www.cloudflare.com	104.17.210.9 104.17.209.9	whitelisted

Threats

Found threats are available for the paid subscriptions

1 ETPRO signatures available at the full report

Add for printing

Process	Message
winserv.exe	Error WTSQueryUserToken #1314
winserv.exe	20-05-2019_14:46:31:078#T:Error #20 @2
winserv.exe	20-05-2019_14:47:03:531#T:Msg Size: 104
winserv.exe	20-05-2019_14:47:03:531#T:Msg code: 3
winserv.exe	20-05-2019_14:47:03:531#T:MSG_KEEP_ALIVE
winserv.exe	MSG_KEEP_ALIVE
winserv.exe	20-05-2019_14:47:43:219#T:Msg Size: 104
winserv.exe	20-05-2019_14:47:43:219#T:Msg code: 3
winserv.exe	20-05-2019_14:47:43:219#T:MSG_KEEP_ALIVE
winserv.exe	MSG_KEEP_ALIVE

General Info

pasmmm.exe

93235A1D2D3AB3B61B292290DC901EC9

434E10019948446DDBE40F29225DAC38012308C0

69AE35457E2E8AE7EF51C725A7C2D9EFAC00A53F439A928E5540551C048F01CB

49152:sIWB74MncmEWy4i1LkjoAwG2PI/mfqtftvMKcr+7Ao95xQW1vB38PELaacVzWTV3:sICtHsJoMAwG24m4f2Kcrsb9rfUAV3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Changes the autorun value in the registry

RMS RAT was detected

SUSPICIOUS

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Uses REG.EXE to modify Windows registry

Creates files in the program directory

Reads Environment values

Reads the machine GUID from the registry

Creates files in the user directory

Reads Windows Product ID

Uses TASKKILL.EXE to kill process

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings