rms | a2c9e4f09745da32b05cb9dec107f05c84b0772164cb91ccaa09bce68cfef606

Analysis

max time kernel
4294148s
max time network
167s
platform
windows7_x64
resource
win7-20220311-en
submitted
17-03-2022 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.bat
Size

1KB
MD5

125b0e626d1babc93c042cf84dd33c05
SHA1

d5f01d546be84337306306f71e6bc612442481d8
SHA256

8df26877285b0fb8dd52db09da874c24c02e9f1a4d6794752d6ac556e4f927b3
SHA512

e6213ef36cc70cc257b671f9dbf590c96e5bcd02196b1de90b2b7be019035f2a859c98003be963983a0f86cf6695aed1db3a3e26b22c1f49bca79d1af9cc6ca5

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System	attrib.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1816	timeout.exe
528	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
772	taskkill.exe
1332	taskkill.exe
1936	taskkill.exe
1916	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1952	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
1744	rutserv.exe
1280	rutserv.exe
1224	rutserv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	rutserv.exe
1744	rutserv.exe
1744	rutserv.exe
1744	rutserv.exe
1744	rutserv.exe
1744	rutserv.exe
1280	rutserv.exe
1280	rutserv.exe
1280	rutserv.exe
1280	rutserv.exe
1224	rutserv.exe
1224	rutserv.exe
1224	rutserv.exe
1224	rutserv.exe
1688	rutserv.exe
1688	rutserv.exe
1688	rutserv.exe
1688	rutserv.exe
1688	rutserv.exe
1688	rutserv.exe
1660	rfusclient.exe
1548	rutserv.exe
1548	rutserv.exe
1548	rutserv.exe
1548	rutserv.exe
1548	rutserv.exe
1548	rutserv.exe
1664	rfusclient.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
2000	rfusclient.exe
1800	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
1620	rfusclient.exe
1072	rutserv.exe
1072	rutserv.exe
1072	rutserv.exe
1072	rutserv.exe
1072	rutserv.exe
1072	rutserv.exe
1380	rfusclient.exe
1888	rutserv.exe
1888	rutserv.exe
1888	rutserv.exe
1888	rutserv.exe
1888	rutserv.exe
1888	rutserv.exe
1476	rfusclient.exe
972	rutserv.exe
972	rutserv.exe
972	rutserv.exe
972	rutserv.exe
972	rutserv.exe
972	rutserv.exe
1572	rfusclient.exe
928	rutserv.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1744	rutserv.exe
Token: SeDebugPrivilege	1224	rutserv.exe
Token: SeTakeOwnershipPrivilege	1688	rutserv.exe
Token: SeTcbPrivilege	1688	rutserv.exe
Token: SeTcbPrivilege	1688	rutserv.exe
Token: SeTakeOwnershipPrivilege	1548	rutserv.exe
Token: SeTcbPrivilege	1548	rutserv.exe
Token: SeTcbPrivilege	1548	rutserv.exe
Token: SeTakeOwnershipPrivilege	1504	rutserv.exe
Token: SeTcbPrivilege	1504	rutserv.exe
Token: SeTcbPrivilege	1504	rutserv.exe
Token: SeTakeOwnershipPrivilege	1800	rutserv.exe
Token: SeTcbPrivilege	1800	rutserv.exe
Token: SeTcbPrivilege	1800	rutserv.exe
Token: SeTakeOwnershipPrivilege	1072	rutserv.exe
Token: SeTcbPrivilege	1072	rutserv.exe
Token: SeTcbPrivilege	1072	rutserv.exe
Token: SeTakeOwnershipPrivilege	1888	rutserv.exe
Token: SeTcbPrivilege	1888	rutserv.exe
Token: SeTcbPrivilege	1888	rutserv.exe
Token: SeTakeOwnershipPrivilege	972	rutserv.exe
Token: SeTcbPrivilege	972	rutserv.exe
Token: SeTcbPrivilege	972	rutserv.exe
Token: SeTakeOwnershipPrivilege	928	rutserv.exe
Token: SeTcbPrivilege	928	rutserv.exe
Token: SeTcbPrivilege	928	rutserv.exe
Token: SeTakeOwnershipPrivilege	1268	rutserv.exe
Token: SeTcbPrivilege	1268	rutserv.exe
Token: SeTcbPrivilege	1268	rutserv.exe
Token: SeTakeOwnershipPrivilege	880	rutserv.exe
Token: SeTcbPrivilege	880	rutserv.exe
Token: SeTcbPrivilege	880	rutserv.exe
Token: SeTakeOwnershipPrivilege	952	rutserv.exe
Token: SeTcbPrivilege	952	rutserv.exe
Token: SeTcbPrivilege	952	rutserv.exe
Token: SeTakeOwnershipPrivilege	1464	rutserv.exe
Token: SeTcbPrivilege	1464	rutserv.exe
Token: SeTcbPrivilege	1464	rutserv.exe
Token: SeTakeOwnershipPrivilege	756	rutserv.exe
Token: SeTcbPrivilege	756	rutserv.exe
Token: SeTcbPrivilege	756	rutserv.exe
Token: SeTakeOwnershipPrivilege	472	rutserv.exe
Token: SeTcbPrivilege	472	rutserv.exe
Token: SeTcbPrivilege	472	rutserv.exe
Token: SeTakeOwnershipPrivilege	1400	rutserv.exe
Token: SeTcbPrivilege	1400	rutserv.exe
Token: SeTcbPrivilege	1400	rutserv.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1744	rutserv.exe
1744	rutserv.exe
1744	rutserv.exe
1744	rutserv.exe
1280	rutserv.exe
1280	rutserv.exe
1280	rutserv.exe
1280	rutserv.exe
1224	rutserv.exe
1224	rutserv.exe
1224	rutserv.exe
1224	rutserv.exe
1688	rutserv.exe
1688	rutserv.exe
1688	rutserv.exe
1688	rutserv.exe
1548	rutserv.exe
1548	rutserv.exe
1548	rutserv.exe
1548	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1504	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
1072	rutserv.exe
1072	rutserv.exe
1072	rutserv.exe
1072	rutserv.exe
1888	rutserv.exe
1888	rutserv.exe
1888	rutserv.exe
1888	rutserv.exe
972	rutserv.exe
972	rutserv.exe
972	rutserv.exe
972	rutserv.exe
928	rutserv.exe
928	rutserv.exe
928	rutserv.exe
928	rutserv.exe
1268	rutserv.exe
1268	rutserv.exe
1268	rutserv.exe
1268	rutserv.exe
880	rutserv.exe
880	rutserv.exe
880	rutserv.exe
880	rutserv.exe
952	rutserv.exe
952	rutserv.exe
952	rutserv.exe
952	rutserv.exe
1464	rutserv.exe
1464	rutserv.exe
1464	rutserv.exe
1464	rutserv.exe
756	rutserv.exe
756	rutserv.exe
756	rutserv.exe
756	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1896	2032	cmd.exe	30
PID 2032 wrote to memory of 1896	2032	cmd.exe	30
PID 2032 wrote to memory of 1896	2032	cmd.exe	30
PID 2032 wrote to memory of 1876	2032	cmd.exe	31
PID 2032 wrote to memory of 1876	2032	cmd.exe	31
PID 2032 wrote to memory of 1876	2032	cmd.exe	31
PID 2032 wrote to memory of 1916	2032	cmd.exe	32
PID 2032 wrote to memory of 1916	2032	cmd.exe	32
PID 2032 wrote to memory of 1916	2032	cmd.exe	32
PID 2032 wrote to memory of 772	2032	cmd.exe	34
PID 2032 wrote to memory of 772	2032	cmd.exe	34
PID 2032 wrote to memory of 772	2032	cmd.exe	34
PID 2032 wrote to memory of 1332	2032	cmd.exe	35
PID 2032 wrote to memory of 1332	2032	cmd.exe	35
PID 2032 wrote to memory of 1332	2032	cmd.exe	35
PID 2032 wrote to memory of 1936	2032	cmd.exe	36
PID 2032 wrote to memory of 1936	2032	cmd.exe	36
PID 2032 wrote to memory of 1936	2032	cmd.exe	36
PID 2032 wrote to memory of 1460	2032	cmd.exe	37
PID 2032 wrote to memory of 1460	2032	cmd.exe	37
PID 2032 wrote to memory of 1460	2032	cmd.exe	37
PID 2032 wrote to memory of 1952	2032	cmd.exe	38
PID 2032 wrote to memory of 1952	2032	cmd.exe	38
PID 2032 wrote to memory of 1952	2032	cmd.exe	38
PID 2032 wrote to memory of 1816	2032	cmd.exe	39
PID 2032 wrote to memory of 1816	2032	cmd.exe	39
PID 2032 wrote to memory of 1816	2032	cmd.exe	39
PID 2032 wrote to memory of 1744	2032	cmd.exe	40
PID 2032 wrote to memory of 1744	2032	cmd.exe	40
PID 2032 wrote to memory of 1744	2032	cmd.exe	40
PID 2032 wrote to memory of 1744	2032	cmd.exe	40
PID 2032 wrote to memory of 1280	2032	cmd.exe	41
PID 2032 wrote to memory of 1280	2032	cmd.exe	41
PID 2032 wrote to memory of 1280	2032	cmd.exe	41
PID 2032 wrote to memory of 1280	2032	cmd.exe	41
PID 2032 wrote to memory of 1224	2032	cmd.exe	42
PID 2032 wrote to memory of 1224	2032	cmd.exe	42
PID 2032 wrote to memory of 1224	2032	cmd.exe	42
PID 2032 wrote to memory of 1224	2032	cmd.exe	42
PID 1688 wrote to memory of 1660	1688	rutserv.exe	44
PID 1688 wrote to memory of 1660	1688	rutserv.exe	44
PID 1688 wrote to memory of 1660	1688	rutserv.exe	44
PID 1688 wrote to memory of 1660	1688	rutserv.exe	44
PID 1688 wrote to memory of 240	1688	rutserv.exe	45
PID 1688 wrote to memory of 240	1688	rutserv.exe	45
PID 1688 wrote to memory of 240	1688	rutserv.exe	45
PID 1688 wrote to memory of 240	1688	rutserv.exe	45
PID 2032 wrote to memory of 1616	2032	cmd.exe	46
PID 2032 wrote to memory of 1616	2032	cmd.exe	46
PID 2032 wrote to memory of 1616	2032	cmd.exe	46
PID 2032 wrote to memory of 1672	2032	cmd.exe	47
PID 2032 wrote to memory of 1672	2032	cmd.exe	47
PID 2032 wrote to memory of 1672	2032	cmd.exe	47
PID 2032 wrote to memory of 772	2032	cmd.exe	49
PID 2032 wrote to memory of 772	2032	cmd.exe	49
PID 2032 wrote to memory of 772	2032	cmd.exe	49
PID 1548 wrote to memory of 1664	1548	rutserv.exe	50
PID 1548 wrote to memory of 1664	1548	rutserv.exe	50
PID 1548 wrote to memory of 1664	1548	rutserv.exe	50
PID 1548 wrote to memory of 1664	1548	rutserv.exe	50
PID 1548 wrote to memory of 284	1548	rutserv.exe	51
PID 1548 wrote to memory of 284	1548	rutserv.exe	51
PID 1548 wrote to memory of 284	1548	rutserv.exe	51
PID 1548 wrote to memory of 284	1548	rutserv.exe	51

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1896	attrib.exe
1876	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\attrib.exe
  attrib "C:\Program Files (x86)\System" +H +S /S /D
  2⤵
  - Drops file in Program Files directory
  - Views/modifies file attributes
  PID:1896
- C:\Windows\system32\attrib.exe
  attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D
  2⤵
  - Views/modifies file attributes
  PID:1876
- C:\Windows\system32\taskkill.exe
  taskkill /f /im rutserv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\system32\taskkill.exe
  Taskkill /f /im rutserv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\system32\taskkill.exe
  taskkill /f /im rfusclient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\system32\taskkill.exe
  Taskkill /f /im rfusclient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
  2⤵
  PID:1460
- C:\Windows\regedit.exe
  regedit /s "regedit.reg"
  2⤵
  - Runs .reg file with regedit
  PID:1952
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\rutserv.exe
  rutserv.exe /silentinstall
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\rutserv.exe
  rutserv.exe /firewall
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\rutserv.exe
  rutserv.exe /start
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1224
- C:\Windows\system32\sc.exe
  sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc config RManService obj= LocalSystem type= interact type= own
  2⤵
  PID:1672
- C:\Windows\system32\sc.exe
  sc config RManService DisplayName= "Windows_Defender v6.3"
  2⤵
  PID:772
- C:\Windows\system32\timeout.exe
  timeout 120
  2⤵
  - Delays execution with timeout.exe
  PID:528

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:240

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
    C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
    3⤵
    PID:1476
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:284

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1952

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1800
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:284

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1072
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1380
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1676

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1888
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:632
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:972
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1712

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1640

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:744

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:880
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:948
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1564

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:952
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1324

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1464
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1544

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:756
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1748

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:472
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:960
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:880

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1400
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:240
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:1820

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
"C:\Users\Admin\AppData\Local\Temp\rutserv.exe"
1⤵
PID:948
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-68-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/240-306-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/240-81-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/240-80-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/240-70-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/240-63-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/240-67-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/240-65-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-132-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-99-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/284-101-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-127-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-129-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-130-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-92-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-90-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-87-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-85-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-138-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-134-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/284-84-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/632-168-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/744-214-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/756-265-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/880-292-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/948-227-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/960-291-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1224-60-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1324-244-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1380-152-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1464-257-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1464-259-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1476-167-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1476-104-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1476-111-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1476-107-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1476-106-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1476-105-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1476-103-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1484-260-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1544-261-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1548-97-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1548-79-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1548-93-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/1548-95-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/1548-100-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1548-98-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/1548-96-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/1560-197-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1564-235-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1572-182-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1620-137-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1620-128-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1620-135-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1620-136-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1620-133-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1620-131-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1640-199-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1660-73-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1660-64-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1660-66-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1660-69-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1660-78-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1660-75-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1664-86-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1664-91-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1664-89-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1664-94-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1664-258-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1664-88-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1676-153-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1688-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-76-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1688-72-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1688-74-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1712-183-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1724-212-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1744-242-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1744-55-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1744-56-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1744-290-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1748-271-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1820-308-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1952-118-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-116-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-115-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-120-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-124-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-113-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2000-117-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2000-122-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2000-121-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2000-119-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2000-114-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2000-112-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download