rms | 5c40375030347df78642b47f85d9f40e80ef0d4a9f55a5f5bde6ec65d7b4a59b

Analysis

max time kernel
93s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
02/02/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
Size

3.9MB
MD5

dd4209f7493b99118c613d3fcc0566ed
SHA1

5854ccbee044c60a36f462d7fb8118b495354963
SHA256

9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6
SHA512

a9937a88057776ac09dfa67747f1bb738b836823566d317b0190416d257dbb8c26ae89068b1ec6b65990a8e94bae0cebc38938bf909042f9c0a54c7d01afe005
SSDEEP

98304:beZIXSqVHHhmqNaCZMhEgh3hCRS0fFF3tplnICLluBFBrJ:YqVoqNaCZBwsRS09xtvIusB1

Score

10^/10

rms aspackv2 discovery rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x001900000002aaf5-54.dat	acprotect
behavioral1/files/0x001900000002aaf2-53.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001900000002aaf1-20.dat	aspack_v212_v242
behavioral1/files/0x001900000002aaef-55.dat	aspack_v212_v242

Executes dropped EXE 7 IoCs

pid	Process
2352	rutserv.exe
888	rutserv.exe
1540	rutserv.exe
5004	rutserv.exe
716	rfusclient.exe
2524	rfusclient.exe
1576	rfusclient.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aaf5-54.dat	upx
behavioral1/files/0x001900000002aaf2-53.dat	upx

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Java\install.vbs	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File created	C:\Program Files\Java\vp8encoder.dll	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File opened for modification	C:\Program Files\Java\vp8encoder.dll	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File created	C:\Program Files\Java\regedit.reg	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File created	C:\Program Files\Java\install.bat	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File opened for modification	C:\Program Files\Java\rfusclient.exe	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File created	C:\Program Files\Java\rutserv.exe	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File opened for modification	C:\Program Files\Java\rutserv.exe	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File created	C:\Program Files\Java\vp8decoder.dll	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File opened for modification	C:\Program Files\Java\regedit.reg	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File opened for modification	C:\Program Files\Java\install.vbs	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File opened for modification	C:\Program Files\Java\install.bat	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File created	C:\Program Files\Java\rfusclient.exe	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File opened for modification	C:\Program Files\Java\vp8decoder.dll	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
File opened for modification	\??\c:\program files\java\rutserv.pdb	rutserv.exe
File created	C:\Program Files\Java\__tmp_rar_sfx_access_check_240626765	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4200	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
3696	taskkill.exe
1964	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133829840906279428"	chrome.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "287309825"	explorer.exe
Key created	\Registry\User\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe

Runs .reg file with regedit 1 IoCs

pid	Process
236	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1588	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	rutserv.exe
2352	rutserv.exe
2352	rutserv.exe
2352	rutserv.exe
2352	rutserv.exe
2352	rutserv.exe
888	rutserv.exe
888	rutserv.exe
1540	rutserv.exe
1540	rutserv.exe
5004	rutserv.exe
5004	rutserv.exe
5004	rutserv.exe
5004	rutserv.exe
5004	rutserv.exe
5004	rutserv.exe
2524	rfusclient.exe
2524	rfusclient.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
1876	chrome.exe
1876	chrome.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1576	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	2352	rutserv.exe
Token: SeShutdownPrivilege	2288	control.exe
Token: SeCreatePagefilePrivilege	2288	control.exe
Token: SeDebugPrivilege	1540	rutserv.exe
Token: SeTakeOwnershipPrivilege	5004	rutserv.exe
Token: SeTcbPrivilege	5004	rutserv.exe
Token: SeTcbPrivilege	5004	rutserv.exe
Token: SeDebugPrivilege	2132	taskmgr.exe
Token: SeSystemProfilePrivilege	2132	taskmgr.exe
Token: SeCreateGlobalPrivilege	2132	taskmgr.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1588	explorer.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
1876	chrome.exe
2132	taskmgr.exe
1876	chrome.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2352	rutserv.exe
888	rutserv.exe
1540	rutserv.exe
5004	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4508	1876	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe	77
PID 1876 wrote to memory of 4508	1876	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe	77
PID 1876 wrote to memory of 4508	1876	9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe	77
PID 4508 wrote to memory of 4928	4508	WScript.exe	78
PID 4508 wrote to memory of 4928	4508	WScript.exe	78
PID 4508 wrote to memory of 4928	4508	WScript.exe	78
PID 4928 wrote to memory of 3696	4928	cmd.exe	80
PID 4928 wrote to memory of 3696	4928	cmd.exe	80
PID 4928 wrote to memory of 3696	4928	cmd.exe	80
PID 4928 wrote to memory of 1964	4928	cmd.exe	82
PID 4928 wrote to memory of 1964	4928	cmd.exe	82
PID 4928 wrote to memory of 1964	4928	cmd.exe	82
PID 4928 wrote to memory of 1244	4928	cmd.exe	83
PID 4928 wrote to memory of 1244	4928	cmd.exe	83
PID 4928 wrote to memory of 1244	4928	cmd.exe	83
PID 4928 wrote to memory of 236	4928	cmd.exe	84
PID 4928 wrote to memory of 236	4928	cmd.exe	84
PID 4928 wrote to memory of 236	4928	cmd.exe	84
PID 4928 wrote to memory of 4200	4928	cmd.exe	85
PID 4928 wrote to memory of 4200	4928	cmd.exe	85
PID 4928 wrote to memory of 4200	4928	cmd.exe	85
PID 4928 wrote to memory of 2352	4928	cmd.exe	86
PID 4928 wrote to memory of 2352	4928	cmd.exe	86
PID 4928 wrote to memory of 2352	4928	cmd.exe	86
PID 4928 wrote to memory of 888	4928	cmd.exe	89
PID 4928 wrote to memory of 888	4928	cmd.exe	89
PID 4928 wrote to memory of 888	4928	cmd.exe	89
PID 4928 wrote to memory of 1540	4928	cmd.exe	91
PID 4928 wrote to memory of 1540	4928	cmd.exe	91
PID 4928 wrote to memory of 1540	4928	cmd.exe	91
PID 5004 wrote to memory of 716	5004	rutserv.exe	95
PID 5004 wrote to memory of 716	5004	rutserv.exe	95
PID 5004 wrote to memory of 716	5004	rutserv.exe	95
PID 5004 wrote to memory of 2524	5004	rutserv.exe	94
PID 5004 wrote to memory of 2524	5004	rutserv.exe	94
PID 5004 wrote to memory of 2524	5004	rutserv.exe	94
PID 2524 wrote to memory of 1576	2524	rfusclient.exe	96
PID 2524 wrote to memory of 1576	2524	rfusclient.exe	96
PID 2524 wrote to memory of 1576	2524	rfusclient.exe	96
PID 1588 wrote to memory of 2132	1588	explorer.exe	97
PID 1588 wrote to memory of 2132	1588	explorer.exe	97
PID 1876 wrote to memory of 2656	1876	chrome.exe	103
PID 1876 wrote to memory of 2656	1876	chrome.exe	103
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104
PID 1876 wrote to memory of 1744	1876	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe
"C:\Users\Admin\AppData\Local\Temp\9e74aec98d3e2b7af6df0ff58ff86e4a1f5f5f1d09705f2a28151e81900d2aa6.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\program files\java\install.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\Java\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1244
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:236
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4200
  - - \??\c:\program files\java\rutserv.exe
      rutserv.exe /silentinstall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2352
  - - \??\c:\program files\java\rutserv.exe
      rutserv.exe /firewall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:888
  - - \??\c:\program files\java\rutserv.exe
      rutserv.exe /start
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1540

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2132

\??\c:\program files\java\rutserv.exe
"c:\program files\java\rutserv.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004
- \??\c:\program files\java\rfusclient.exe
  "c:\program files\java\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2524
- - \??\c:\program files\java\rfusclient.exe
    "c:\program files\java\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:1576
- \??\c:\program files\java\rfusclient.exe
  "c:\program files\java\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc77f1cc40,0x7ffc77f1cc4c,0x7ffc77f1cc58
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4652,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4596,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3324,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3200 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5280,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5712,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5736,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6024,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6032,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5560,i,12156586595124425254,10598202800043270964,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:1972

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\install.bat

Filesize
290B

MD5
9dc2286281a11ee72985dd2041a58ee3

SHA1
de55198aa0f697ed77e98e3e61deb4cb70ba3b03

SHA256
67f0f1704add831bd00a4977a185a2c97198cc4b3299233f62c3a0820716268a

SHA512
ce4443ec8482cdce28bae0169b0d7df688190a596b914df0bbf62ae2598312c9bfc703ffd2d9b6c548e170bf4cb60cef9d4f9494b0e6391cd8cf6d45affa05f6

Download Submit
C:\Program Files\Java\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7491db2a-fc88-455c-9414-aaf7becf59d0.tmp

Filesize
10KB

MD5
93ba709029e3220dc19550c36b4fbd75

SHA1
1c6d3cbb4695a1bfe267c0de1bdd2db7df2e37e3

SHA256
17f5e309fbbfa40e9913dd50ab43716b9b80bb57f9092a51c40787e12eb94750

SHA512
e4831906bcddff56937ee8fcd0fc05e8eff77c3f9469a7fb6567c3b19c3df8f8b7e3e60a3a2ff3218a36d936f364466a58329e051e67eecf8bf434e381118312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5c0a930a86bfa34d7943483d0f3fd7ee

SHA1
9c2ddc951be5c315b1096b093adedb14e1e743bb

SHA256
d8e02c412c2617a448d3ea6d08e023ff9fc444ac9787e641a3b811ce11750a08

SHA512
0c7d7ef46cf1223e996233f93f690aecc1c11039bf6958cf88494b076e68d6174f480bbfd286d5578d111b36be919a4b3baa16e4ed10783cd9061970539531cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6da3e7b76829f4195333a615e27417d5

SHA1
5595492a5dfb7439f3a51cee15a5a6949d97175a

SHA256
5e17faa94715bc860e6dbfc3663c95ae55017415e108d66b725972ae9ec59f6f

SHA512
863d46cd41d15d05ca3323d9d019e5bc9c35fa93757a9f1b7cafba2d362ec62d3126353690c0ad82d063f86ddd1d9fdaef057b0c6f6f8d195e8d8d7232e9bdf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
26e1b5fe637de831022706cd27fcc76b

SHA1
cad55956d72a9824066cbd3e0963a97a542df35c

SHA256
473bb34467dcd9d6e691f4524e4a0e74c219c01eba167a5961a2ff6f85bdaf11

SHA512
3b66462a3bd15df0020b37b7ab786b3c91e0f8501e3859f2e35b58f67bab02be3e2be2ed7ec24f5d050e268eafd00ffdda7064340d4f32089bfa65c1b246cfef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
68285214ebfc1782cf4549878c31842e

SHA1
482bb2adcd887e650ed10530608ef9645e351868

SHA256
be6d59fc58397fcc316272b30368a2bde10a10a08de432af129c52e9c57a6e00

SHA512
c1287017bf2bc99247e153c43d46cd4096fe565cf66882974b4b7a210d7b7fa097fcf5f20de92ae47f3c04ba5ed781e7d85c44908a74dd2d6730c4c38a07f615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
74242ec907b2438b4f3ce1f2555baa65

SHA1
1606e891f2109220eee33646fd19afa8903a385c

SHA256
9440880545ddd0a15188647b081078b4e4c4a3ab4beecba7523d38e0a54cfa66

SHA512
6c96bddb089135768dcbe281dc5d4f2a05979fb69e8eb5419948dc12cd72288a1227626d1397813094c9572192e9afc1b9d241f1e9235d9811336552e73c9ec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2177c123d6797b099d686fae8290c246

SHA1
82b30a9d4375ea91f5d18a9ad721c6c1f6d93bd3

SHA256
4a0b72e482c550a722fd26c1f9bc38d0dd52c2c6eaeab9f06b5d74941818a80f

SHA512
9b831d077f1a50385d0efcdb274106cc5a843d9a43e36dcf6c76169f8185c07a80e6dc8e2195a023b631b5d175f88b3de055be32475a9b7341fd448af200476e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
52798e03d10337a86eec39053c5eb21d

SHA1
cfc48b5f12cf53b911e129f069ff7e3a5b7e013b

SHA256
7260eb8a96019c09f91b3f28738a470ba2be2780305287455d2a3038793a00ec

SHA512
59d7f94de021b797fcef81b86668be7c9262c460e3a79658ba399c57674883e71f45e968883518255201a27b4c07258a0b6b16fd5a5db3cea71a41248602c0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ca069647-ca27-4792-b0a9-edf6a28ec517.tmp

Filesize
10KB

MD5
e4b924a8f497bf5f7e259b8d9c1cd64e

SHA1
05cd2c0cb6cad7bbc65e8d9f3fa24ae221d4fc52

SHA256
4fae8ef15c79e563ac2c8dd11f3dd40c72410c625acc3ee339729c3eab495a4f

SHA512
5930bf6e881b0ce10261e5ad6d9592a15a5756a7f88a4f20040ae95a12e0c69a0f47b2f898c433f8303611c915dae91d58864bc6e2bf8c57fcaf1d5cddcb85d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
da0a029fbbc578752421ec1562425304

SHA1
2b9180667ee6c96f580a1023ddc72eb793a27dc6

SHA256
b96cc47057a5d4a80836f267871c677f58cfbae080b5beac22666e6cadd52eaf

SHA512
316de9446a2705beaf72dfa94a751a45f9d3ab1a8cf46a71137d74f3b2a202048b16059b492643d8a68d062019f1c74aace2ba37efbeedfe8c8b27f84fe101cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
b8401ca9a760fea0beab308c15513394

SHA1
07aa784de8abaa0e001eb7a6cc92159a4d579e13

SHA256
ce16e7ee436e50d31cc915b11134cc494be022fd3556d0c6524aba6927aeeab6

SHA512
3789aa976fd130b1f5e044a9eed9e2c279924f6b06d94ed3dc6130b22150bb78b5cf27e1f3a6f5160b34cab4674fc258de73a93976edcc0d77050f037e13c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
f49a1f773027be1e29d58177baa48719

SHA1
3045f0e40251600001bb6206334cfce4639046da

SHA256
9ad58ef51ff02b1bbc0112c43862f187eb9ccb4318a0e8d6356aa6abb401379b

SHA512
3466fcb81b21b22bc84ab373cf64f72e1e0dd7bde045f6daacfe914cd4d4aa44b216c90de6ba72ccb22a1b90c5ea280eadc0e177c091b84780f8f79daf5d2224

Download Submit
C:\program files\java\install.vbs

Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
\??\c:\program files\java\regedit.reg

Filesize
11KB

MD5
bda99f82ad842497074241baef8c1449

SHA1
2fcd176128a8ea66db7796dc7cb3f8fffb9bdad2

SHA256
102614d45322c5cc2454bea73a303baf60ad2a4b7bb7594eea9402832d21fe08

SHA512
161babfd48688d7748a718282700a95b04115f14ad9041d7ec99d3dfb64b861dea443cdb41b890b8b432eed6e271136f74500aa2a53c8b44c0e4db84b29b6c98

Download Submit
\??\c:\program files\java\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
\??\c:\program files\java\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
\??\c:\program files\java\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
memory/716-68-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-64-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-59-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-228-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-82-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-99-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-383-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-69-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-58-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-60-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/716-103-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/888-34-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/888-35-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/888-33-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/888-36-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/888-38-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/888-32-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/888-31-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-42-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-41-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-40-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-65-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-44-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-43-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1540-45-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1576-77-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1576-78-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1576-76-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1576-75-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1576-74-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1576-79-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1576-73-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2132-91-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-94-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-83-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-85-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-84-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-89-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-90-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-93-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-95-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2132-92-0x0000024F4CF20000-0x0000024F4CF21000-memory.dmp

Filesize
4KB

Download
memory/2352-29-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2352-22-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2352-23-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2352-27-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2352-26-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2352-25-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2352-24-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2524-63-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2524-62-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2524-61-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2524-67-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2524-66-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2524-81-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2524-70-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5004-226-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-48-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-51-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-47-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-371-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-50-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5004-49-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download