General Info

File name

winserv.exe

Full analysis
https://app.any.run/tasks/9d52cd24-a577-4ac2-93ab-b38831265109
Verdict
Malicious activity
Analysis date
10/9/2019, 15:06:50
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

rat

rms

Indicators:

MIME:
application/x-dosexec
File info:
MS-DOS executable, MZ for MS-DOS
MD5

3f4f5a6cb95047fea6102bd7d2226aa9

SHA1

fc09dd898b6e7ff546e4a7517a715928fbafc297

SHA256

99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98

SSDEEP

196608:iz+UZcWP4jBrfWgEgIV8Rzy7Vj4FZvEo:i6UZcWWeVj4FZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
RMS was detected
  • winserv.exe (PID: 3004)
Reads the machine GUID from the registry
  • winserv.exe (PID: 3004)
Reads Windows Product ID
  • winserv.exe (PID: 3004)
Creates files in the user directory
  • winserv.exe (PID: 3004)
Reads Environment values
  • winserv.exe (PID: 3004)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable (generic) (52.9%)
.exe
|   Generic Win/DOS Executable (23.5%)
.exe
|   DOS Executable Generic (23.5%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
0000:00:00 00:00:00
PEType:
PE32
LinkerVersion:
7
CodeSize:
10563584
InitializedDataSize:
118784
UninitializedDataSize:
null
EntryPoint:
0x77b96c
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
6.7.0.2
ProductVersionNumber:
6.7.0.2
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
CompanyName:
tox
FileDescription:
System
FileVersion:
6.7.0.2
LegalCopyright:
Copyright © 2017 tektonit. All rights reserved.
LegalTrademarks:
System
ProductName:
System
ProductVersion:
6.7.0.2
PROGRAMID:
PROGRAM
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
01-Jan-1970 00:00:00
Detected languages
English - United States
Russian - Russia
CompanyName:
tox
FileDescription:
System
FileVersion:
6.7.0.2
LegalCopyright:
Copyright © 2017 tektonit. All rights reserved.
LegalTrademarks:
System
ProductName:
System
ProductVersion:
6.7.0.2
PROGRAMID:
PROGRAM
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0046
Pages in file:
0x0049
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0x0000
Initial SS value:
0x0052
Initial SP value:
0x0045
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000040
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
01-Jan-1970 00:00:00
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.tls 0x00001000 0x00A13000 0x00A12400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.95935
.rsrc 0x00A14000 0x00017000 0x00016800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.83711
.idata 0x00A2B000 0x00006000 0x00005800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.31574
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

4025

4026

4027

4028

4029

4030

4031

4032

4033

4034

4035

4036

4037

4038

4039

4040

4041

4042

4043

4044

4045

4046

4047

4048

4049

4050

4051

4052

4053

4054

4055

4056

4057

4058

4059

4060

4061

4062

4063

4064

4065

4066

4067

4068

4069

4070

4071

4072

4073

4074

4075

4076

4077

4078

4079

4080

4081

4082

4083

4084

4085

4086

4087

4088

4089

4090

4091

4092

4093

4094

4095

4096

32761

32762

32763

32764

32765

32766

32767

DEFAULTSKINICONLARGE

DEFAULTSKINICONSMALL

CALIBRATE

EXCEPT

CX_BACKBUTTON

CX_CLOCKFACE

CX_CLOCKGLASS

CX_COMMANDLINKGLYPH

CX_FIXEDGROUPINDICATOR

CX_LOOKANDFEELSTYLEICON_FLAT16

CX_LOOKANDFEELSTYLEICON_FLAT48

CX_LOOKANDFEELSTYLEICON_NATIVE16

CX_LOOKANDFEELSTYLEICON_NATIVE48

CX_LOOKANDFEELSTYLEICON_OFFICE1116

CX_LOOKANDFEELSTYLEICON_OFFICE1148

CX_LOOKANDFEELSTYLEICON_STANDARD16

CX_LOOKANDFEELSTYLEICON_STANDARD48

CX_LOOKANDFEELSTYLEICON_ULTRAFLAT16

CX_LOOKANDFEELSTYLEICON_ULTRAFLAT48

CX_RATINGCONTROLINDICATOR

DX_MAPPUSHPIN

DX_NAVIGATIONBARCUSTOMIZATIONBUTTON

DX_SEARCHBUTTONGLYPH

VIDEO_IMAGE

Z_QUINNECT_RMS

Z_QUINNECT_RUT

CASE

CATEGORIES

COMBINING

COMPOSITION

DECOMPOSITION

NUMBERS

BBABORT

BBALL

BBCANCEL

BBCLOSE

BBHELP

BBIGNORE

BBNO

BBOK

BBRETRY

BBYES

CDROM

CLOSEDFOLDER

CURRENTFOLDER

CX_ARROWBITMAP

CX_DROPARROW

CX_DROPARROW_150

CX_DROPARROW_200

CX_EDITBITMAP

CX_FILTERBITMAP

CX_FULLSCROLLBITMAP

CX_HORSCROLLBITMAP

CX_INSERTBITMAP

CX_MULTIARROWBITMAP

CX_MULTIDOTBITMAP

CX_SORTBYSUMMARYVALUE

CX_VERSCROLLBITMAP

CX_ZOOMINBUTTONGLYPH

CX_ZOOMOUTBUTTONGLYPH

DXEXPANDBUTTON_MINUS

DXEXPANDBUTTON_PLUS

DXSUBMENUEXPAND

EXECUTABLE

FLOPPY

HARD

JVCUSTOMDATEEDITGLYPH

JVCUSTOMIMAGEBUTTONDEFAULT

JVDIRECTORYEDITGLYPH

JVDIRECTORYEDITXPGLYPH

JVFILENAMEEDITGLYPH

JVFILENAMEEDITXPGLYPH

KNOWNFILE

MEIBIG

MEICANTCONTINUE

MEICLOSE

MEICONTINUE

MEIPLWAIT

MEIPRINT

MEIRESTART

MEISAVE

MEISEND

MEISEND32

MEISHOW

NETWORK

OPENFOLDER

PREVIEWGLYPH

RAM

SPINDOWN

SPINUP

UNKNOWNFILE

DLGTEMPLATE

TEXTFILEDLG

DVCLAL

PACKAGEINFO

PLATFORMTARGETS

TDMMAIN

TFMABOUT

TFMACCESSPAGE

TFMADDEDITCALLBACKCONNECTION

TFMADDUSERACCESS

TFMADVANCEDSECURITYFORM

TFMBLACKLAYERED

TFMCALLBACKCONNECTIONS

TFMDISCLAIMER

TFMENTERINVITATION

TFMENTERPASSWORD

TFMFILTERIPRANGE

TFMINTERNETCONNECTION

TFMIPFILTER

TFMMAINSERVICE

TFMMYSELECTLANGUAGE

TFMOPTIONS

TFMPASSWORDPROTECTION

TFMPROXYSETTINGS

TFMQUICKCONNECT

TFMSECURITY

TFMSELECTACCESSUSERSANDGROUPS

TFMSELECTINETSERVER

TFMSERVERCONNECT

TFMSERVERLIST

TFMSETPROTECTIONPASSWORD

TFMSETTINGS

TFMSIMPLESECURITY

TFMSIMPLESYNCSIGNIN

TFMSTARTUPMODE

TFMSYNCAUTH

TFMUSERACCESS

TFMVIEWERCONTROL

TMADEXCEPT

TMECONTACTFORM

TMEDETAILSFORM

TMESCRSHOTFORM

WINXCTRLS_MOMENTUMDOTS_BLACK_24

WINXCTRLS_MOMENTUMDOTS_BLACK_32

WINXCTRLS_MOMENTUMDOTS_BLACK_48

WINXCTRLS_MOMENTUMDOTS_BLACK_64

WINXCTRLS_MOMENTUMDOTS_WHITE_24

WINXCTRLS_MOMENTUMDOTS_WHITE_32

WINXCTRLS_MOMENTUMDOTS_WHITE_48

WINXCTRLS_MOMENTUMDOTS_WHITE_64

WINXCTRLS_ROTATINGSECTOR_BLACK_24

WINXCTRLS_ROTATINGSECTOR_BLACK_32

WINXCTRLS_ROTATINGSECTOR_BLACK_48

WINXCTRLS_ROTATINGSECTOR_BLACK_64

WINXCTRLS_ROTATINGSECTOR_WHITE_24

WINXCTRLS_ROTATINGSECTOR_WHITE_32

WINXCTRLS_ROTATINGSECTOR_WHITE_48

WINXCTRLS_ROTATINGSECTOR_WHITE_64

WINXCTRLS_SEARCHINDICATORS_AUDIO

WINXCTRLS_SEARCHINDICATORS_TEXT

WINXCTRLS_SECTORRING_BLACK_24

WINXCTRLS_SECTORRING_BLACK_32

WINXCTRLS_SECTORRING_BLACK_48

WINXCTRLS_SECTORRING_BLACK_64

WINXCTRLS_SECTORRING_WHITE_24

WINXCTRLS_SECTORRING_WHITE_32

WINXCTRLS_SECTORRING_WHITE_48

WINXCTRLS_SECTORRING_WHITE_64

CAT_DRAG_COPY

CXDROPAFTERCOPY

CXDROPBEFORECOPY

CXDROPINSIDECOPY

CX_COLORPICKERCURSOR

CX_DOWNSCROLLCURSOR

CX_DRAGCOPYCURSOR

CX_DRAGCURSOR

CX_FULLSCROLLCURSOR

CX_HANDCURSOR

CX_HANDDRAGCURSOR

CX_HANDPOINTCURSOR

CX_HORSCROLLCURSOR

CX_HORZSIZECURSOR

CX_LEFTSCROLLCURSOR

CX_MULTIDRAGCOPYCURSOR

CX_MULTIDRAGCURSOR

CX_NODROPCURSOR

CX_REMOVECURSOR

CX_RIGHTSCROLLCURSOR

CX_UPSCROLLCURSOR

CX_VERSCROLLCURSOR

CX_VERTSIZECURSOR

DXLAYOUTCONTROLDROPAFTER

DXLAYOUTCONTROLDROPBEFORE

DXLAYOUTCONTROLDROPINSIDE

DXLAYOUTCONTROLNODROP

DXLAYOUTCONTROLREMOVE

JVDRAGCURSOR

JVHANDCURSOR

Z_INET_ID_ICON_32X32

Imports
    advapi32.dll

    comctl32.dll

    comdlg32.dll

    gdi32.dll

    kernel32.dll

    msvcrt.dll

    netapi32.dll

    ole32.dll

    oleaut32.dll

    shell32.dll

    shfolder.dll

    user32.dll

    version.dll

    winhttp.dll

    wininet.dll

    winmm.dll

    winspool.drv

    wintrust.dll

    wsock32.dll

Exports
    dbkFCallWrapperAddr

    __dbk_fcall_wrapper

    madTraceProcess

    TMethodImplementationIntercept

Screenshots

Processes

Total processes
34
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start #RMS winserv.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3004
CMD
"C:\winserv.exe"
Path
C:\winserv.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
tox
Description
System
Version
6.7.0.2
Modules
Image
c:\winserv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\version.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winmm.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wintrust.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\faultrep.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\idndl.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
317
Read events
308
Write events
9
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3004
winserv.exe
write
HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
FUSClientPath
C:\rfusclient.exe
3004
winserv.exe
write
HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
Options
545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E0915486964655472617949636F6E506F7075704D656E75080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70080C497046696C746572547970650202105573654C656761637943617074757265081750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E0811557365496E6574436F6E6E656374696F6E0813557365437573746F6D496E6574536572766572080A496E65744964506F727402000D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E6773081544697361626C6552656D6F74655072696E74696E67080A44697361626C65526470080F4E6F7469667953686F7750616E656C09144E6F746966794368616E67655472617949636F6E09104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E64080C4E6F7469667950616E656C5802FF0C4E6F7469667950616E656C5902FF064C6F6755736509055369644964061034333734372E353838353139393037341144697361626C65496E7465726E65744964080B536166654D6F6465536574080F53796E6341757468456E61626C6564081253686F7749644E6F74696669636174696F6E081953686F7749644E6F74696669636174696F6E52657175657374081A496E746567726174654669726577616C6C417453747572747570080000
3004
winserv.exe
write
HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
InternetId
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223637303032223E3C696E7465726E65745F69643E3C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E66616C73653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
3004
winserv.exe
write
HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
CalendarRecordSettings
FFFE3C003F0078006D006C002000760065007200730069006F006E003D00220031002E0030002200200065006E0063006F00640069006E0067003D0022005500540046002D003100360022003F003E000D000A003C0073007200650065006E005F007200650063006F00720064005F006F007000740069006F006E002000760065007200730069006F006E003D0022003600370030003000320022003E003C006D00610069006E005F006F007000740069006F006E0073003E003C006100630074006900760065003E00660061006C00730065003C002F006100630074006900760065003E003C0069006E00740065007200760061006C005F00730068006F0074003E00360030003C002F0069006E00740065007200760061006C005F00730068006F0074003E003C00700072006F0074006500630074005F007200650063006F00720064003E00660061006C00730065003C002F00700072006F0074006500630074005F007200650063006F00720064003E003C0063006F006D007000720065007300730069006F006E005F007100750061006C006900740079003E00390030003C002F0063006F006D007000720065007300730069006F006E005F007100750061006C006900740079003E003C007300630061006C0065005F007100750061006C006900740079003E003100300030003C002F007300630061006C0065005F007100750061006C006900740079003E003C0063006F006D007000720065007300730069006F006E005F0074007900700065003E0030003C002F0063006F006D007000720065007300730069006F006E005F0074007900700065003E003C006D00610078005F00660069006C0065005F00730069007A0065003E003100300030003C002F006D00610078005F00660069006C0065005F00730069007A0065003E003C006100750074006F005F0063006C006500610072003E00660061006C00730065003C002F006100750074006F005F0063006C006500610072003E003C006100750074006F005F0063006C006500610072005F0064006100790073003E0030003C002F006100750074006F005F0063006C006500610072005F0064006100790073003E003C0075007300650064005F00660069006C0065005F006C0069006D00690074003E0074007200750065003C002F0075007300650064005F00660069006C0065005F006C0069006D00690074003E003C0061006C006C005F00660069006C00650073005F006C0069006D00690074005F006D0062003E0031003000300030003C002F0061006C006C005F00660069006C00650073005F006C0069006D00690074005F006D0062003E003C0064007200610077005F006400610074006100740069006D0065005F006F006E005F0069006D006100670065003E0074007200750065003C002F0064007200610077005F006400610074006100740069006D0065005F006F006E005F0069006D006100670065003E003C0063007500730074006F006D005F00720065006D006F00740065005F006400690072006500630074006F00720079003E003C002F0063007500730074006F006D005F00720065006D006F00740065005F006400690072006500630074006F00720079003E003C002F006D00610069006E005F006F007000740069006F006E0073003E003C007300630068006500640075006C00650073002F003E003C002F0073007200650065006E005F007200650063006F00720064005F006F007000740069006F006E003E000D000A00
3004
winserv.exe
write
HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
InternetId
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223637303032223E3C696E7465726E65745F69643E3430302D3632322D3939322D3738393C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E747275653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
3004
winserv.exe
write
HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
PASSWORD
41003900430037003300320044003000320046003300320042004400420038003400300042004300440042003400460034004500450033003800380039004200320045003500450045003100450034003900450036003300310031004300430033003400390030003800350038003300340041003200300039003900340041004200300043004100450042003100440038004500330045004400450041003300420033003700410037004600420045003600450035003700300030004400360041003900310038003500390036004400460045003100360046003600310045003600350034003900340045004300370039003000370041003200420041003200
3004
winserv.exe
write
HKEY_CURRENT_USER\Software\tektonit\Remote MANIPULATOR System\Host\Parameters
Options
545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E0915486964655472617949636F6E506F7075704D656E75080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70080C497046696C746572547970650202105573654C656761637943617074757265081750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E0811557365496E6574436F6E6E656374696F6E0813557365437573746F6D496E6574536572766572080A496E65744964506F727402000D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E6773081544697361626C6552656D6F74655072696E74696E67080A44697361626C65526470080F4E6F7469667953686F7750616E656C09144E6F746966794368616E67655472617949636F6E09104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E64080C4E6F7469667950616E656C5802FF0C4E6F7469667950616E656C5902FF064C6F6755736509055369644964061034333734372E353838353139393037340A4164646974696F6E616C0604363239331144697361626C65496E7465726E65744964080B536166654D6F6465536574080F53796E6341757468456E61626C6564081253686F7749644E6F74696669636174696F6E081953686F7749644E6F74696669636174696F6E52657175657374081A496E746567726174654669726577616C6C417453747572747570080000

Files activity

Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3004
winserv.exe
C:\Users\admin\AppData\Roaming\RMS_settings\Logs\rms_log_2019-10.html
html
MD5: 68e3cac1ad4aa3617697827f30d4127d
SHA256: dc349ad19ed08b10a366fd271718d1261791fffcb642cd90f57ee974b62da1d5
3004
winserv.exe
C:\Users\admin\AppData\Roaming\RMS_settings\Logs\rms_log_2019-10.html
html
MD5: 7d977e4cbaad87d879dd677f8c095702
SHA256: 80fe463e8f0d42bf330a37bc16ebbec5adebfa85adf54c0abcd6e6b0f0a12bfe

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3004 winserv.exe 109.234.156.180:5655 OOO Network of data-centers Selectel RU suspicious

DNS requests

Domain IP Reputation
rms-server.tektonit.ru 109.234.156.180
malicious

Threats

No threats detected.

Debug output strings

Process Message
winserv.exe 09-10-2019_14:07:28:120#T:Error #20 @2
winserv.exe 09-10-2019_14:07:28:120#T:Error #20 @2