PUP.RemoteAdmin

Threat Scorecard

Popularity Rank: 1,339
Threat Level: 10 % (Normal)
Infected Computers: 38,599
First Seen: August 9, 2016
Last Seen: April 15, 2026
OS(es) Affected: Windows

SpyHunter Detects & Remove PUP.RemoteAdmin

File System Details

PUP.RemoteAdmin may create the following file(s):
# File Name MD5 Detections
1. NETWork.exe f36175806e9d0b21d95d36697d4017d9 32
2. rutserv.exe 4f40ef14a8143151764c3eb6c972398b 9
3. agent.exe e0f4afe374d75608d604fbf108eac64f 5
4. YP.exe 5d52ceb951384666ffb7a0b7e9b034fc 4
5. file.exe 77f6d6693870fd19fc922d0c3a9b5b9b 0
6. r_server.exe 24fc6bf84e755691ad9a9c033378bbf5 0
7. 5961315 523057fbbe6c89336b9cb2b1c1b78d26 0
More files

Registry Details

PUP.RemoteAdmin may create the following registry entry or registry entries:
Regexp file mask
%HOMEDRIVE%\Log\rfusclient.exe
%HOMEDRIVE%\rfusclient.exe
%HOMEDRIVE%\rutserv.exe
%PROGRAMFILES%\Java\rfusclient.exe
%PROGRAMFILES%\Java\rutserv.exe
%PROGRAMFILES%\Microsoft Games\rfusclient.exe
%PROGRAMFILES%\rtsd\rfusclient.exe
%PROGRAMFILES%\rtsd\rutserv.exe
%PROGRAMFILES%\System\rfusclient.exe
%PROGRAMFILES%\System\rutserv.exe
%PROGRAMFILES(x86)%\Java\rfusclient.exe
%PROGRAMFILES(x86)%\Java\rutserv.exe
%PROGRAMFILES(x86)%\System\rfusclient.exe
%PROGRAMFILES(x86)%\System\rutserv.exe

Directories

PUP.RemoteAdmin may create the following directory or directories:

%ALLUSERSPROFILE%\CardWindows
%ALLUSERSPROFILE%\WindowsVolume
%APPDATA%\RMS-Agent
%Homedrive%\Remote Manipulator System
%PROGRAMFILES%\Remote Manipulator System - Host
%PROGRAMFILES%\Remote Manipulator System - Server
%PROGRAMFILES%\Remote Manipulator System - Viewer
%PROGRAMFILES%\Remote Utilities - Host
%PROGRAMFILES%\Remote Utilities - Server
%PROGRAMFILES%\Server
%PROGRAMFILES(x86)%\Remote Manipulator System - Host
%PROGRAMFILES(x86)%\Remote Manipulator System - Server
%PROGRAMFILES(x86)%\Remote Manipulator System - Viewer
%PROGRAMFILES(x86)%\Remote Utilities - Host
%PROGRAMFILES(x86)%\Remote Utilities - Server
%PROGRAMFILES(x86)%\Server
%Windir%\ehome\ASCON

Analysis Report

General information

Family Name: PUP.RemoteAdmin
Signature status: Root Not Trusted

Known Samples

MD5: 8b82b0cb9c1515ea617abfae5f75a40b
SHA1: f3e1677f6405e9be96efbbc767809ff77e41d62c
SHA256: 3806A20239ECA00B8D8EB7ACA1C6BD109BCCBB8AEBD83C6EB1545D5DE62A57A7
File Size: 6.66 MB, 6663432 bytes
MD5: 040fbad8e414e9f83b1049e2d6d19660
SHA1: fca4ff4dcd14c7fc67271104839ddf5286fb4c1b
SHA256: A9BDF8AA304FA511AF4BD702E9A1E06487E0191061BE47AF47340CFEFDB09E80
File Size: 3.28 MB, 3282920 bytes
MD5: 94d70ffe5cbc3c34b9e33c1540d6e7ec
SHA1: e1c33ab4ca2664940aac5453e8649f023220ee95
SHA256: 3D5112C10EE98939B32542233C8D6C35FA00C60F5C19CE043B8F8990E5983727
File Size: 57.02 KB, 57024 bytes
MD5: 5a9453bee75456e5e6befae40d93b0c5
SHA1: b3ed58c889ee7fe36a7e53cc70da690e9c84801e
SHA256: 0CB065119B97A7CA77642E13F5794B9BABBA6C3D2B526868A0C93E49BC457099
File Size: 65.54 KB, 65536 bytes
MD5: 92892b7bc7b4270ff9499f442fa4f99e
SHA1: 3bcb725d5fa27e574a74eb269830805ee39960ea
SHA256: 08081F677D5E23E8054FCB14853AB7C949588C2201F5B6DF99B264B678AA95B4
File Size: 1.09 MB, 1093260 bytes
Show More
MD5: 4015ddd77c2f5e4220c0afd3d182a849
SHA1: 45bcea822de42b60bf5398fd2b3835a1b9dce7f5
SHA256: 883190C134A8D41DB91F88271F30734F138E479EF36B3C50432ECFFA07EE1F46
File Size: 57.34 KB, 57344 bytes
MD5: ee3de36c062c5311f19bb816ce134f08
SHA1: 44db6ee669ef4536421129a5aca1da6bdcf1e9b5
SHA256: 5705DE7AAEDEFC6830866F2ED0433E589C1D9F2230678BC18942481054B4DA7C
File Size: 321.14 KB, 321144 bytes
MD5: a20c429550987040a5bb11ef07cdcc54
SHA1: 3e05224ea4090da2d109472ec0631003611c3bfd
SHA256: 9235E28A55722D8DDE2FEE5764487FD4BD1B2B7C7327FC56B221ECCDD03BAC62
File Size: 947.71 KB, 947712 bytes
MD5: 8b6686d16805880c582130ca3fbf0be0
SHA1: 847903c75bfa0c61df2e950550b7d301e2907f87
SHA256: 93CBF88A4A8E84C0C7B0A9250CE424987BBAE55BFC06B59DE78D25A6481580BC
File Size: 2.94 MB, 2940640 bytes
MD5: afc24ceb743fb55f9ae4518e05eeea22
SHA1: e7d9f51b8baf2e697e3ad9bedc5bbbcf62873ea1
SHA256: 8E68824823D78CC7615A567FCF6449F62D4CF98C10DA02C69BA27A2E48C65CC6
File Size: 1.38 MB, 1377792 bytes
MD5: 34944acd0923b660220f9c7e6b769f5e
SHA1: ba39e0469aedfc9acd2b80a76d6c957a9dab19c9
SHA256: D01B17B5B06C1D225251EB3F655FEF4949E22AE6C02C3BC1D74213A9F3195A3C
File Size: 2.51 MB, 2507480 bytes
MD5: dae358ff83b01740f72a9a5b6c340c30
SHA1: 182698d9a922a7240e54bd03ae8e83f3a535a83f
SHA256: C097D856C11AE9D60D93B4EC7990156F14D181F1080EAF192C073746AC2E5DFC
File Size: 325.75 KB, 325752 bytes
MD5: 3c51dbad937bd1dd7d3d642b5ada52bd
SHA1: d9fd1fe9c380c6d136a7be6c1bc08bd37caffd99
SHA256: D205CC374641F1ED4F647F792E26B62E7DF8C3F5745E50F3652138F7B8373DE8
File Size: 325.75 KB, 325752 bytes
MD5: ee9494ee88213b4af38c7d7bd4d5ca4b
SHA1: a9c7448b407bf51255c1a0dad1eb5d3a9f2db62f
SHA256: 3E5E6F748D2198586CA8C6465B78D3B0A8722B008386974BAABD518CE4340285
File Size: 2.51 MB, 2507480 bytes
MD5: b0dfa01dc67a1da187e0048ee26fb7ec
SHA1: 65370a113992a5c9b239c6ddcbfdf56208461723
SHA256: 6C98C79224BCD76254E74860B58C7A06F54577FDB6945B014E7C742D9CA8DEF3
File Size: 931.93 KB, 931928 bytes
MD5: b3e563677cdeb04282a67983183dd939
SHA1: b5203c8200531683ef221a87baf67ffd69e037e1
SHA256: 5A70A053A29F4C85A12F0F47E32279B8C4F54F12F32751FE4BEDDA7C3217433F
File Size: 2.51 MB, 2507480 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments
  • Radmin - Remote Control Server
  • Radmin Viewer
Company Name
  • Famatech Corp.
  • Famatech International Corp.
  • Flexera
  • NetSupport Ltd
  • TektonIT
File Description
  • InstallShield
  • Mesh Agent Service
  • NetSupport Client Application
  • Radmin Server component
  • Radmin Viewer
  • RMS
File Version
  • V14.10
  • 31.0.24
  • 24.0.464
  • 7.5.1.0
  • 3, 5, 2, 0
  • 3, 5, 0, 0
  • 3, 0, 0, 5
  • 1.00
  • 0.2.1.3
Internal Build Number
  • 182945
  • 215864
Internal Name
  • client32
  • MeshAgent
  • Radmin
  • rsl
  • TJprojMain
  • _IsIcoRes.exe
Legal Copyright
  • Apache 2.0 License
  • Copyright (c) 2018 Flexera. All Rights Reserved.
  • Copyright (c) 2025 Flexera. All Rights Reserved.
  • Copyright © 1999-2007 Famatech International Corp. and its licensors. All rights reserved.
  • Copyright © 1999-2012 Famatech Corp. and its licensors. All rights reserved.
  • Copyright © 1999-2017 Famatech Corp. and its licensors. All rights reserved.
  • Copyright © 2024 TektonIT. Ter-Osipov Alex. All rights reserved.
  • NetSupport Ltd © 2024
Legal Trademarks Radmin, Remote Administrator
Original Filename
  • client32.exe
  • MeshAgent.exe
  • Radmin.exe
  • rsl.exe
  • TJprojMain.exe
  • _IsIcoRes.exe
Private Build V14.10
Product Name
  • InstallShield
  • Mesh Agent Service
  • NetSupport Remote Control
  • Project1
  • Radmin Server
  • Radmin Viewer
  • Remote Manipulator System
Product Version
  • V14.10
  • 31.0
  • 24.0
  • 7.5.1.0
  • 3, 5, 2, 0
  • 3, 5, 0, 0
  • 3, 0, 0, 5
  • 1.00
  • 0, 0, 0, 0
Program I D ru.rmansys.SfxExtractor

Digital Signatures

Signer Root Status
Famatech International Corp. Class 3 Public Primary Certification Authority Root Not Trusted
DATEV.it SRL DigiCert Trusted Root G4 Root Not Trusted
IP Ter-Osipov Aleksey Vladimirovich GlobalSign Code Signing Root R45 Root Not Trusted
Famatech Corp. Symantec Class 3 SHA256 Code Signing CA Hash Mismatch
Famatech Corp. VeriSign Class 3 Code Signing 2010 CA Hash Mismatch
Show More
Famatech Corp. VeriSign Class 3 Public Primary Certification Authority - G5 Hash Mismatch

File Traits

  • 2+ executable sections
  • HighEntropy
  • Installer Manifest
  • Installer Version
  • x86

Block Information

Total Blocks: 1,606
Potentially Malicious Blocks: 29
Whitelisted Blocks: 1,577
Unknown Blocks: 0

Visual Map

x x 2 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 3 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 0 1 1 1 1 2 0 x x 0 0 0 0 0 x x 0 1 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 2 2 0 3 1 1 0 0 1 0 0 0 0 0 0 x x 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 3 0 0 1 0 1 0 0 0 0 0 0 1 0 0 0 0 0 1 1 0 0 1 0 0 0 2 2 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 1 1 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 2 x x 0 0 x 0 0 0 0 0 x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 x x 0 0 x x x 0 0 x x 0 x 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 2 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 1 1 1 0 0 1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.AVC
  • Agent.M
  • Agent.MAC
  • Agent.OFE
  • BadJoke.JB
Show More
  • BadJoke.XA
  • BadJoke.XAB
  • BadJoke.XAE
  • Filecoder.GYT
  • Filecoder.VBC
  • MeshAgent.A
  • Trojan.Downloader.Gen.NL
  • Trojan.Filecoder.Gen.AG
  • Vidar.FA

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\eventlog\application\screenconnect::eventmessagefile C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtProtectVirtualMemory
Show More
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Service Control
  • OpenSCManager
  • OpenService
  • StartServiceCtrlDispatcher
Process Shell Execute
  • ShellExecuteEx
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Anti Debug
  • NtQuerySystemInformation
Encryption Used
  • BCryptOpenAlgorithmProvider

Shell Command Execution

open RServer3.exe

Related Posts

Trending

Most Viewed

Loading...