Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 15:06
Static task
static1
Behavioral task
behavioral1
Sample
8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b.exe
Resource
win7-20221111-en
General
-
Target
8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b.exe
-
Size
7.2MB
-
MD5
b1c2b3fa4e8094cc0c93c3d1e341678c
-
SHA1
8c35dba41ca1a411a18b416ed515be0129b58f91
-
SHA256
8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b
-
SHA512
eede8112c49dbaacf70c1f1616159d38e542d35a81d47016d8bbbe508d9710371e51da18bf1242fcf21b1183d125f75aa446fe663459153acf5118c9b8623779
-
SSDEEP
196608:YkoCOc7n/+FEqkbVruOFwtfqS0b1KqQ6UrQ0Q8fAd17b+QXnjf0+2:Ykac7WFEFbVfwAS4Y13Q8817b+Qa
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 17 1548 msiexec.exe 22 1548 msiexec.exe -
Executes dropped EXE 7 IoCs
pid Process 3432 rutserv.exe 1428 rutserv.exe 2988 rutserv.exe 3204 rutserv.exe 4888 rfusclient.exe 944 rfusclient.exe 2016 rfusclient.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b.exe -
Loads dropped DLL 8 IoCs
pid Process 544 MsiExec.exe 3432 rutserv.exe 1428 rutserv.exe 2988 rutserv.exe 3204 rutserv.exe 4888 rfusclient.exe 944 rfusclient.exe 2016 rfusclient.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Program Files directory 58 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Printer\x86\rmsui2.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\SampleClient.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\unidrvui_rms.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\uninstall.cmd msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\rms.lng msiexec.exe File created C:\Program Files (x86)\Common Files\rfusclient.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\fwproc.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\srvinst.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\fwproc.exe msiexec.exe File created C:\Program Files (x86)\Common Files\winmm.dll cmd.exe File created C:\Program Files (x86)\Common Files\Printer\x86\VPDAgent.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\rmsui.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\unidrv_rms.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\rms_s.lng msiexec.exe File created C:\Program Files (x86)\Common Files\msvcp90.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\rmspm.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\ntprint.inf msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\srvinst_x64.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\rmsui.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\unidrv_rms.hlp msiexec.exe File created C:\Program Files (x86)\Common Files\English.lg msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\setupdrv.exe msiexec.exe File created C:\Program Files (x86)\Common Files\vp8encoder.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\rms.gpd msiexec.exe File created C:\Program Files (x86)\Common Files\Russian.lg msiexec.exe File created C:\Program Files (x86)\Common Files\dsfVorbisDecoder.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\unires_vpd.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Microsoft.VC90.CRT.manifest msiexec.exe File created C:\Program Files (x86)\Common Files\vp8decoder.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\VPDAgent_x64.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\unidrvui_rms.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\uninstall.cmd msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\progress.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\rmsui2.exe msiexec.exe File opened for modification C:\Program Files (x86)\Common Files\winmm.dll cmd.exe File created C:\Program Files (x86)\Common Files\msvcr90.dll msiexec.exe File created C:\Program Files (x86)\Common Files\rutserv.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\unidrv_rms.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\rms.gpd msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\unires_vpd.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\install.cmd msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\rms.lng msiexec.exe File created C:\Program Files (x86)\Common Files\EULA.rtf msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\rms.ini msiexec.exe File created C:\Program Files (x86)\Common Files\dsfVorbisEncoder.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\install.cmd msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\rms.ini msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\rmspm.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\ntprint.inf msiexec.exe File created C:\Program Files (x86)\Common Files\RWLN.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\stdnames_vpd.gpd msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\stdnames_vpd.gpd msiexec.exe File created C:\Program Files (x86)\Common Files\RIPCServer.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\rms_s.lng msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x86\unidrv_rms.hlp msiexec.exe File created C:\Program Files (x86)\Common Files\gdiplus.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\progress.exe msiexec.exe File created C:\Program Files (x86)\Common Files\Printer\x64\setupdrv.exe msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A} msiexec.exe File opened for modification C:\Windows\Installer\MSI1C6.tmp msiexec.exe File created C:\Windows\Installer\e56f97b.msi msiexec.exe File opened for modification C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe msiexec.exe File opened for modification C:\Windows\Installer\e56f978.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe msiexec.exe File opened for modification C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIFED7.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e56f978.msi msiexec.exe File created C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe msiexec.exe File created C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe msiexec.exe File opened for modification C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe msiexec.exe File created C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe msiexec.exe File created C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe -
Modifies registry class 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\E629DA2CCD54F5C4880A36EA6E3A62A2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E629DA2CCD54F5C4880A36EA6E3A62A2\RMS msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductIcon = "C:\\Windows\\Installer\\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E629DA2CCD54F5C4880A36EA6E3A62A2 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Language = "1049" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\PackageCode = "CA621BAB2625C4F47B0824566FC192D8" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Version = "100603060" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2048" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\PackageName = "system32.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\DiskPrompt = "[1]" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5100 PING.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1548 msiexec.exe 1548 msiexec.exe 3432 rutserv.exe 3432 rutserv.exe 3432 rutserv.exe 3432 rutserv.exe 3432 rutserv.exe 3432 rutserv.exe 1428 rutserv.exe 1428 rutserv.exe 2988 rutserv.exe 2988 rutserv.exe 3204 rutserv.exe 3204 rutserv.exe 3204 rutserv.exe 3204 rutserv.exe 3204 rutserv.exe 3204 rutserv.exe 4888 rfusclient.exe 4888 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 2016 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2332 msiexec.exe Token: SeIncreaseQuotaPrivilege 2332 msiexec.exe Token: SeSecurityPrivilege 1548 msiexec.exe Token: SeCreateTokenPrivilege 2332 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2332 msiexec.exe Token: SeLockMemoryPrivilege 2332 msiexec.exe Token: SeIncreaseQuotaPrivilege 2332 msiexec.exe Token: SeMachineAccountPrivilege 2332 msiexec.exe Token: SeTcbPrivilege 2332 msiexec.exe Token: SeSecurityPrivilege 2332 msiexec.exe Token: SeTakeOwnershipPrivilege 2332 msiexec.exe Token: SeLoadDriverPrivilege 2332 msiexec.exe Token: SeSystemProfilePrivilege 2332 msiexec.exe Token: SeSystemtimePrivilege 2332 msiexec.exe Token: SeProfSingleProcessPrivilege 2332 msiexec.exe Token: SeIncBasePriorityPrivilege 2332 msiexec.exe Token: SeCreatePagefilePrivilege 2332 msiexec.exe Token: SeCreatePermanentPrivilege 2332 msiexec.exe Token: SeBackupPrivilege 2332 msiexec.exe Token: SeRestorePrivilege 2332 msiexec.exe Token: SeShutdownPrivilege 2332 msiexec.exe Token: SeDebugPrivilege 2332 msiexec.exe Token: SeAuditPrivilege 2332 msiexec.exe Token: SeSystemEnvironmentPrivilege 2332 msiexec.exe Token: SeChangeNotifyPrivilege 2332 msiexec.exe Token: SeRemoteShutdownPrivilege 2332 msiexec.exe Token: SeUndockPrivilege 2332 msiexec.exe Token: SeSyncAgentPrivilege 2332 msiexec.exe Token: SeEnableDelegationPrivilege 2332 msiexec.exe Token: SeManageVolumePrivilege 2332 msiexec.exe Token: SeImpersonatePrivilege 2332 msiexec.exe Token: SeCreateGlobalPrivilege 2332 msiexec.exe Token: SeShutdownPrivilege 2108 msiexec.exe Token: SeIncreaseQuotaPrivilege 2108 msiexec.exe Token: SeCreateTokenPrivilege 2108 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2108 msiexec.exe Token: SeLockMemoryPrivilege 2108 msiexec.exe Token: SeIncreaseQuotaPrivilege 2108 msiexec.exe Token: SeMachineAccountPrivilege 2108 msiexec.exe Token: SeTcbPrivilege 2108 msiexec.exe Token: SeSecurityPrivilege 2108 msiexec.exe Token: SeTakeOwnershipPrivilege 2108 msiexec.exe Token: SeLoadDriverPrivilege 2108 msiexec.exe Token: SeSystemProfilePrivilege 2108 msiexec.exe Token: SeSystemtimePrivilege 2108 msiexec.exe Token: SeProfSingleProcessPrivilege 2108 msiexec.exe Token: SeIncBasePriorityPrivilege 2108 msiexec.exe Token: SeCreatePagefilePrivilege 2108 msiexec.exe Token: SeCreatePermanentPrivilege 2108 msiexec.exe Token: SeBackupPrivilege 2108 msiexec.exe Token: SeRestorePrivilege 2108 msiexec.exe Token: SeShutdownPrivilege 2108 msiexec.exe Token: SeDebugPrivilege 2108 msiexec.exe Token: SeAuditPrivilege 2108 msiexec.exe Token: SeSystemEnvironmentPrivilege 2108 msiexec.exe Token: SeChangeNotifyPrivilege 2108 msiexec.exe Token: SeRemoteShutdownPrivilege 2108 msiexec.exe Token: SeUndockPrivilege 2108 msiexec.exe Token: SeSyncAgentPrivilege 2108 msiexec.exe Token: SeEnableDelegationPrivilege 2108 msiexec.exe Token: SeManageVolumePrivilege 2108 msiexec.exe Token: SeImpersonatePrivilege 2108 msiexec.exe Token: SeCreateGlobalPrivilege 2108 msiexec.exe Token: SeShutdownPrivilege 2920 msiexec.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4872 wrote to memory of 2152 4872 8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b.exe 80 PID 4872 wrote to memory of 2152 4872 8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b.exe 80 PID 4872 wrote to memory of 2152 4872 8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b.exe 80 PID 2152 wrote to memory of 1472 2152 cmd.exe 82 PID 2152 wrote to memory of 1472 2152 cmd.exe 82 PID 2152 wrote to memory of 1472 2152 cmd.exe 82 PID 2152 wrote to memory of 4332 2152 cmd.exe 83 PID 2152 wrote to memory of 4332 2152 cmd.exe 83 PID 2152 wrote to memory of 4332 2152 cmd.exe 83 PID 2152 wrote to memory of 2332 2152 cmd.exe 84 PID 2152 wrote to memory of 2332 2152 cmd.exe 84 PID 2152 wrote to memory of 2332 2152 cmd.exe 84 PID 2152 wrote to memory of 2108 2152 cmd.exe 86 PID 2152 wrote to memory of 2108 2152 cmd.exe 86 PID 2152 wrote to memory of 2108 2152 cmd.exe 86 PID 2152 wrote to memory of 5100 2152 cmd.exe 87 PID 2152 wrote to memory of 5100 2152 cmd.exe 87 PID 2152 wrote to memory of 5100 2152 cmd.exe 87 PID 2152 wrote to memory of 2920 2152 cmd.exe 88 PID 2152 wrote to memory of 2920 2152 cmd.exe 88 PID 2152 wrote to memory of 2920 2152 cmd.exe 88 PID 1548 wrote to memory of 544 1548 msiexec.exe 92 PID 1548 wrote to memory of 544 1548 msiexec.exe 92 PID 1548 wrote to memory of 544 1548 msiexec.exe 92 PID 1548 wrote to memory of 3432 1548 msiexec.exe 94 PID 1548 wrote to memory of 3432 1548 msiexec.exe 94 PID 1548 wrote to memory of 3432 1548 msiexec.exe 94 PID 1548 wrote to memory of 1428 1548 msiexec.exe 95 PID 1548 wrote to memory of 1428 1548 msiexec.exe 95 PID 1548 wrote to memory of 1428 1548 msiexec.exe 95 PID 1548 wrote to memory of 2988 1548 msiexec.exe 96 PID 1548 wrote to memory of 2988 1548 msiexec.exe 96 PID 1548 wrote to memory of 2988 1548 msiexec.exe 96 PID 3204 wrote to memory of 4888 3204 rutserv.exe 99 PID 3204 wrote to memory of 4888 3204 rutserv.exe 99 PID 3204 wrote to memory of 4888 3204 rutserv.exe 99 PID 3204 wrote to memory of 944 3204 rutserv.exe 98 PID 3204 wrote to memory of 944 3204 rutserv.exe 98 PID 3204 wrote to memory of 944 3204 rutserv.exe 98 PID 4888 wrote to memory of 2016 4888 rfusclient.exe 104 PID 4888 wrote to memory of 2016 4888 rfusclient.exe 104 PID 4888 wrote to memory of 2016 4888 rfusclient.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b.exe"C:\Users\Admin\AppData\Local\Temp\8e61615de91718b4662d4a99e0e5113c34237c316e6646c5a906ef2208d8da8b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:1472
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\error.vbs"3⤵PID:4332
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5100
-
-
C:\Windows\SysWOW64\msiexec.exeMsiExec /I "system32.msi" /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B6D573892AF206A7EF2D66F8F60662C92⤵
- Loads dropped DLL
PID:544
-
-
C:\Program Files (x86)\Common Files\rutserv.exe"C:\Program Files (x86)\Common Files\rutserv.exe" /silentinstall2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3432
-
-
C:\Program Files (x86)\Common Files\rutserv.exe"C:\Program Files (x86)\Common Files\rutserv.exe" /firewall2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\Program Files (x86)\Common Files\rutserv.exe"C:\Program Files (x86)\Common Files\rutserv.exe" /start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
-
C:\Program Files (x86)\Common Files\rutserv.exe"C:\Program Files (x86)\Common Files\rutserv.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Program Files (x86)\Common Files\rfusclient.exe"C:\Program Files (x86)\Common Files\rfusclient.exe" /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944
-
-
C:\Program Files (x86)\Common Files\rfusclient.exe"C:\Program Files (x86)\Common Files\rfusclient.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Program Files (x86)\Common Files\rfusclient.exe"C:\Program Files (x86)\Common Files\rfusclient.exe" /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: SetClipboardViewer
PID:2016
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD590dea654be9ff2a477a874ede3b8919e
SHA153e2e671335c55e16dde8913e09509b4ecd9b39e
SHA2563b6d4e43df68eadef9def8e7e8b4472114459385853cea859f2185a5ecfab24e
SHA512297dbf1fb868e56fe5175e70d6c88c8f5932ddb838f415ea97835a994ca2958657ed58eb920abc33417aa7386a532a6412449b08989290d4749efe2270f62bd9
-
Filesize
144KB
MD5941d1b63a94549cbe5224a4e722dd4d5
SHA1bab121f4c3528af35456bac20fbd296112624260
SHA256ce1cd24a782932e1c28c030da741a21729a3c5930d8358079b0f91747dd0d832
SHA512b6bf11fa34ceab70e3f3ce48a8a6dcbe5cfa859db4a03ca18cc6309773a32aff9db111d2d2ab5bb1ce974322eaf71ea81cfaa3911d6b8085a82823a0aa1d30ee
-
Filesize
957KB
MD5897266223a905afdc1225ff4e621c868
SHA16a5130154430284997dc76af8b145ab90b562110
SHA256be991f825a2e6939f776ebc6d80d512a33cbbe60de2fcc32820c64f1d6b13c07
SHA5121ad1386e71e036e66f3b6fdece5a376e7309ceb0f6eb73c3a8203b0825c45aa1f74e1f722b508cf3f73456e7d808853d37bcef79bfe8476fc16a4e6af2e9202b
-
Filesize
48KB
MD53756211f2aa8ffe4b37afd42b6e3ecd3
SHA18fc79a50f97d0cfe3c877b13931353cade99e2f6
SHA256e283bc3d094bc5ec94d922f3b5559c4ad8ca25c4a24e2ca31e74511ba31e29c1
SHA512e83cd1d0fa8cc28d3154fb223ac938a5fd1b37a600f3a88a4ae7924a56b1a3684d210e273005fe436b03e07e8af76a19626c022bd6fc2eeefd1be8bd0d251edb
-
Filesize
240KB
MD550bad879226bcbbf02d5cf2dcbcfbf61
SHA1be262f40212bd5a227d19fdbbd4580c200c31e4b
SHA25649295f414c5405a4f180b319cfed471871471776e4853baaf117a5185ec0d90d
SHA512476df817a9c9e23423080afcac899b83fc8f532e4fe62bea2feeb988cba538f1f710e2fb61d81d6c283c428d772922c7a6ecb1684ac68ca8f267415105a60116
-
Filesize
1.6MB
MD52721aa44e21659358e8a25c0f13ce02b
SHA191589226e6fd81675e013c5b7aad06e5f7903e61
SHA25674ca24097bc69145af11dc6a0580665d4766aa78c7633f4084d16d7b4fecc5fb
SHA512fb1f06e18b369e5df0dedf20bf5bcaae4f6d93bf8a4789db2d05b7c895fdeff2dc086089cca67fa7d352563b491606a547c37959db623b071e90a1c876d6cc2a
-
Filesize
1.6MB
MD57916c52814b561215c01795bb71bb884
SHA10b3341642559efc8233561f81ec80a3983b9fc2d
SHA2567d3c4c52684afff597dc4c132c464b651cb94aad039458b674d69cf76c240e64
SHA512fc0a1d717c636639be6835d93bdde8019799842e11a055bedeb468f57cfaabf5582a65e1770841486550e06b1b9ba020ff5fad14b7838fe70afefb37933f1a8f
-
Filesize
556KB
MD599c5cb416cb1f25f24a83623ed6a6a09
SHA10dbf63dea76be72390c0397cb047a83914e0f7c8
SHA2569f47416ca37a864a31d3dc997677f8739433f294e83d0621c48eb9093c2e4515
SHA5128bd1b14a690aa15c07ead90edacbcc4e8e3f68e0bfd6191d42519b9542786df35a66ed37e7af9cf9ff14d55a5622c29a88fee2a5bde889740a3ce6160d5256ac
-
Filesize
638KB
MD5bfeac23ced1f4ac8254b5cd1a2bf4dda
SHA1fd450e3bc758d984f68f0ae5963809d7d80645b6
SHA256420d298de132941eacec6718039a5f42eaec498399c482e2e0ff4dad76a09608
SHA5121f4afc2eb72f51b9e600fbbf0d4408728e29b0c6ca45801605801ead0a287873ebbfaaae10b027f1a287c82232d1e7a3a7e7435b7f6a39223c3f7b23d96ed272
-
Filesize
4.8MB
MD51d6f0b1752b19af83f1acffac80d02a9
SHA1e9c4bce6a1999e399a0fe69f6377c816d0241fdc
SHA256a8f5fa708123f8471bcd790725a021a3e3edfec3371cdffcb7788b9eb20c1d22
SHA512e04bbb7761236dd177a97bd68e191f6678a583bb5a6626eca7ec918356fb6cc37f9b41169bdce3060c6b0898dabe14b933df7771863762fcb91239ec45ed4731
-
Filesize
4.8MB
MD51d6f0b1752b19af83f1acffac80d02a9
SHA1e9c4bce6a1999e399a0fe69f6377c816d0241fdc
SHA256a8f5fa708123f8471bcd790725a021a3e3edfec3371cdffcb7788b9eb20c1d22
SHA512e04bbb7761236dd177a97bd68e191f6678a583bb5a6626eca7ec918356fb6cc37f9b41169bdce3060c6b0898dabe14b933df7771863762fcb91239ec45ed4731
-
Filesize
4.8MB
MD51d6f0b1752b19af83f1acffac80d02a9
SHA1e9c4bce6a1999e399a0fe69f6377c816d0241fdc
SHA256a8f5fa708123f8471bcd790725a021a3e3edfec3371cdffcb7788b9eb20c1d22
SHA512e04bbb7761236dd177a97bd68e191f6678a583bb5a6626eca7ec918356fb6cc37f9b41169bdce3060c6b0898dabe14b933df7771863762fcb91239ec45ed4731
-
Filesize
4.8MB
MD51d6f0b1752b19af83f1acffac80d02a9
SHA1e9c4bce6a1999e399a0fe69f6377c816d0241fdc
SHA256a8f5fa708123f8471bcd790725a021a3e3edfec3371cdffcb7788b9eb20c1d22
SHA512e04bbb7761236dd177a97bd68e191f6678a583bb5a6626eca7ec918356fb6cc37f9b41169bdce3060c6b0898dabe14b933df7771863762fcb91239ec45ed4731
-
Filesize
5.7MB
MD584abcb8cc5427479c3e4ebe66300c78a
SHA14227f7850eaebf08f18aa6a2769a600a05bfbf70
SHA256a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd
SHA5122f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a
-
Filesize
5.7MB
MD584abcb8cc5427479c3e4ebe66300c78a
SHA14227f7850eaebf08f18aa6a2769a600a05bfbf70
SHA256a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd
SHA5122f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a
-
Filesize
5.7MB
MD584abcb8cc5427479c3e4ebe66300c78a
SHA14227f7850eaebf08f18aa6a2769a600a05bfbf70
SHA256a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd
SHA5122f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a
-
Filesize
5.7MB
MD584abcb8cc5427479c3e4ebe66300c78a
SHA14227f7850eaebf08f18aa6a2769a600a05bfbf70
SHA256a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd
SHA5122f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a
-
Filesize
5.7MB
MD584abcb8cc5427479c3e4ebe66300c78a
SHA14227f7850eaebf08f18aa6a2769a600a05bfbf70
SHA256a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd
SHA5122f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a
-
Filesize
409KB
MD51525887bc6978c0b54fec544877319e6
SHA17820fcd66e6fbf717d78a2a4df5b0367923dc431
SHA256a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69
SHA51256cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153
-
Filesize
691KB
MD5c8fd8c4bc131d59606b08920b2fda91c
SHA1df777e7c6c1b3d84a8277e6a669e9a5f7c15896d
SHA2566f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240
SHA5122fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
294B
MD562496e15da713dca3beea9f057afc878
SHA1b019a427189aebf4bec151d0ac11f033775e6386
SHA256062c60102064e1e4f8fc9780ca83dd61843677c2f8a59a002cda8cd7a0ff6744
SHA5121f158f06e2d7a2aa5014611c48b23bb9564899afe0f25d62b593ddc7c0d71e5bf10e4d6470f73af06398192b64572eac4b4c9c3a6f5be839129e17e29288cdd2
-
Filesize
283B
MD51290a35d991c49cd0dfe50ae3db8022c
SHA1bb6db05d3a34376bcd2e024b4ec79b88c09104c2
SHA256342d51d06b58fee8bb35cf4b578d3771fde41a8533563158da42098974255323
SHA512b3e8435f70997aff475eb06f58d9e6425ac2e018494ce7d631ea99037f59a1c47b084c6acb9059333dfde3dbe57c3a4d896f993d216cdbdf414d31ffb9948327
-
Filesize
7.9MB
MD59e26598905ce79dd78ec338b7e12ea22
SHA1ac29b2625db791128cf9fcdaa1fdcee90ac69f70
SHA25665c4acd3866a6a7ee6441b68cd4275a169a3d8c55917a8cd683b40905dd33b2a
SHA512e409a0820261f96fc034905ad32441e2f2a6309b8f0c0eda9050e6db7fdde61e1648c58d29a20b951bee9e82486ef7c02eec1faf479857ccf81511f3d8696054
-
Filesize
21KB
MD591b769ba7d48157f452bd26be72160ec
SHA1b61e2369084235ebc0bc277c16d3a56ac20a95b9
SHA25658e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9
SHA5121c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2
-
Filesize
125KB
MD5b0bcc622f1fff0eec99e487fa1a4ddd9
SHA149aa392454bd5869fa23794196aedc38e8eea6f5
SHA256b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA5121572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7
-
Filesize
125KB
MD5b0bcc622f1fff0eec99e487fa1a4ddd9
SHA149aa392454bd5869fa23794196aedc38e8eea6f5
SHA256b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA5121572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7