Enlisted Submarine Warfare Insignia
← Back to Blog

Hunting a RAT Hidden in SYSTEM-Level Autorun Persistence

December 8, 2025 15 min read

A multi-day investigation into a suspicious executable that kept reappearing after deletion. This post documents how I traced it to a SYSTEM-level registry persistence mechanism disguised under an Adobe folder path.

Introduction

An alert came in reporting repeated execution of Connect.exe and ConnectDetector.exe stored under an unusual location:

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Connect\

Immediate red flags surfaced: no Adobe product installs in that directory path, the SYSTEM user profile location is extremely uncommon for legitimate applications, the files kept reappearing after deletion, the behavior resembled a RAT or remote-support tool, and our security tool classified it as "Zoho Assist" despite zero Zoho presence on the machine.

The challenge was clear: the executable rebuilt itself after deletion, no installer existed, no services or scheduled tasks pointed to it, no users ever installed the legitimate software it claimed to be, and security tools identified it as "ZohoAssist" but no Zoho components were actually installed.

This write-up explains how I isolated the cause, validated the findings, and identified the persistence vector.

Phase 1 — Process & File System Recon

I began with process discovery:

Get-Process *connect* | Select Name, Id, Path

The suspicious process was running as SYSTEM with no corresponding Windows service, no MSI entry, and no scheduled task launching it. Killing the process allowed the folder to be deleted temporarily, but it kept coming back. So nothing "normal" was regenerating it.

I inspected the suspicious folder contents and timestamps:

Get-ChildItem "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Connect" |
    Select-Object Name, LastWriteTime, Length

This revealed all binaries were created on the same day months earlier with no recent modification timestamps matching modern activity. The malware had been present for months and was simply being launched, not reinstalled.

Phase 2 — Hunting for Persistence

I checked every standard persistence mechanism:

Scheduled Tasks: None pointed to the "Adobe\Connect" folder.

Get-ScheduledTask |
    Where-Object { $_.TaskName -match "Adobe|Connect|Zoho|Remote" } |
    Select-Object TaskName, TaskPath, State

Services: Nothing registered.

Get-CimInstance Win32_Service |
    Where-Object { $_.PathName -like '*Adobe\\Connect*' -or $_.PathName -like '*CRWindowsClientService*' } |
    Select-Object Name, DisplayName, State, StartMode, PathName

MSI Installer Logs: No installation events for Adobe Connect, ZohoAssist, or any related product.

Get-EventLog -LogName Application -Source MsiInstaller -Newest 50

Startup Folders: Empty.

WMI Event Subscriptions: No rogue persistence events.

Everything came back clean, which intensified suspicion. At this point the question was simple: "If nothing is scheduled to run it, why does it keep coming back?"

Phase 3 — Timeline & Origin Tracking

I pulled file timestamps inside the folder. All binaries were created on the same day months earlier, and no recent modification timestamps matched modern activity. This suggested the malware or tool had been present for months and was simply being launched, not reinstalled.

I looked at Windows Installer reconfiguration logs to check for MSI repair activity:

Get-WinEvent -LogName Application |
    Where-Object {
        $_.Id -eq 1035 -and
        $_.TimeCreated -ge (Get-Date "12/06/2025 00:00") -and
        $_.TimeCreated -le (Get-Date "12/06/2025 01:00")
    } |
    Select-Object TimeCreated, Id, ProviderName, Message

They showed many unrelated apps being reconfigured, but not the suspicious files. So the reappearance wasn't coming from MSI repair or third-party software.

Phase 4 — Breakthrough: SYSTEM Registry Run Key

Using a broad PowerShell sweep across all user hives:

Get-ItemProperty -Path 'Registry::HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -ErrorAction SilentlyContinue |
    Format-List

I finally found it.

The persistence was coming from a SYSTEM-level autorun key:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run

Both contained:

ConnectDetector = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Connect\connectdetector.exe"

Why this matters: S-1-5-18 is the SYSTEM account, .DEFAULT executes before any user logs in, and this guarantees persistence without relying on user profiles. This is malware-style behavior, not normal software design.

With this discovery, everything made sense. The process launched itself before any user session. Deleting the folder temporarily "fixed" it, but the autorun key simply relaunched it. Security tools flagged the behavior as remote-access activity. No installer existed because none was needed.

Phase 5 — Cross-Validation

I worked with a second AI assistant to verify the findings, specifically whether any legitimate application could create this folder, whether any known vendor tools used this executable, whether QuickBooks, drivers, or OEM utilities could be responsible, and whether any security agents could have been involved.

Results confirmed: no legitimate software places Adobe Connect components in the SYSTEM profile, the MD5 hash did not match legitimate vendor builds, file naming and behavior resembled repackaged ZohoAssist components used in malicious campaigns, and nothing on the machine naturally produces these executables.

Cross-validation confirmed the persistence mechanism and reinforced the conclusion: this executable is an unauthorized remote-access tool (RAT) leveraging SYSTEM autorun persistence under the disguise of an Adobe folder.

Eradication

The cleanup process followed these steps:

First, back up the registry keys before making changes:

reg export "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" C:\Temp\Run_Default_Backup.reg /y
reg export "HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" C:\Temp\Run_System_Backup.reg /y

Then remove the malicious autorun entries:

$paths = @(
  'Registry::HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
  'Registry::HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
)

foreach ($p in $paths) {
    Remove-ItemProperty -Path $p -Name 'ConnectDetector' -ErrorAction SilentlyContinue
}

Kill the process and remove the folder:

Stop-Process -Name Connect* -Force -ErrorAction SilentlyContinue
Remove-Item "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Connect" -Recurse -Force

After removal of the Run keys, the folder stopped regenerating.

Conclusion

This incident is a perfect example of how malware authors hide inside OS profile paths, SYSTEM-level autoruns make persistence nearly invisible, security alert labels ("ZohoAssist") are often based on similarity rather than actual installed software, and a process that reinstalls itself is nearly always anchored to registry persistence or WMI.

It also reinforced the importance of checking every user hive, investigating timestamps, reviewing MSI activity for false trails, and cross-validating findings when behavior is non-standard.

This was one of the more interesting persistence cases I've seen in a while. It blended deceptively placed files, SYSTEM-level execution, misleading vendor associations, a persistence mechanism that activates before login, and a remote-access signature disguised under an Adobe name.

Had it not been investigated thoroughly, it could easily have been assumed to be a legitimate tool—especially because it didn't appear in Apps & Features, Services, or Scheduled Tasks. This is exactly why deep forensic-style troubleshooting matters.

Appendix: PowerShell Commands Reference

Below is a consolidated reference of the PowerShell commands used during this investigation, organized by purpose.

File System Inspection 
# List all files with timestamps and sizes
Get-ChildItem "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Connect" |
    Select-Object Name, LastWriteTime, Length

# Quick view of names and timestamps only
Get-ChildItem "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Connect" |
    Select-Object Name, LastWriteTime
Service & Installer Checks 
# Search for related services
Get-CimInstance Win32_Service |
    Where-Object { $_.PathName -like '*Adobe\\Connect*' -or $_.PathName -like '*CRWindowsClientService*' } |
    Select-Object Name, DisplayName, State, StartMode, PathName

# Enumerate MSI-installed products
Get-CimInstance Win32_Product |
    Select-Object Name, Version |
    Sort-Object Name

# Search for "connect" in MSI products
wmic product get name,identifyingnumber | findstr /I "connect"
Event Log Analysis 
# Recent MSI installer events
Get-EventLog -LogName Application -Source MsiInstaller -Newest 50

# MSI events in specific time window
Get-WinEvent -LogName Application |
    Where-Object {
        $_.Id -eq 1035 -and
        $_.TimeCreated -ge (Get-Date "12/06/2025 00:00") -and
        $_.TimeCreated -le (Get-Date "12/06/2025 01:00")
    } |
    Select-Object TimeCreated, Id, ProviderName, Message

# Search for Adobe Connect references in logs
Get-WinEvent -LogName Application -MaxEvents 3000 |
    Where-Object { $_.Message -like "*Adobe\\Connect*" } |
    Select-Object TimeCreated, Id, Message
Scheduled Task Investigation 
# Find suspicious scheduled tasks
Get-ScheduledTask |
    Where-Object { $_.TaskName -match "Adobe|Connect|Zoho|Remote|QuickBooks|Intuit" } |
    Select-Object TaskName, TaskPath, State

# Get details on a specific task
Get-ScheduledTaskInfo -TaskName "<TaskNameHere>"
Process Control 
# Find running Connect processes
Get-Process *connect* -ErrorAction SilentlyContinue |
    Select-Object Name, Id, Path

# Kill specific process by PID
Stop-Process -Id 52460 -Force

# Kill all Connect* processes
Stop-Process -Name Connect* -Force -ErrorAction SilentlyContinue
Registry Autorun Discovery 
# Enumerate Run keys across all user hives
Get-ItemProperty -Path 'Registry::HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -ErrorAction SilentlyContinue |
    Format-List
Cleanup & Eradication 
# Backup registry keys before changes
reg export "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" C:\Temp\Run_Default_Backup.reg /y
reg export "HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" C:\Temp\Run_System_Backup.reg /y

# Remove malicious autorun entries
$paths = @(
  'Registry::HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
  'Registry::HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
)

foreach ($p in $paths) {
    Remove-ItemProperty -Path $p -Name 'ConnectDetector' -ErrorAction SilentlyContinue
}

# Delete the malicious folder
Remove-Item "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Connect" -Recurse -Force -ErrorAction SilentlyContinue
security incident-response malware powershell forensics