rms | 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382

Analysis

max time kernel
122s
max time network
156s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
Size

29.6MB
MD5

87e9ef77d9eae3a947a8922acf8179d4
SHA1

064167fa469d978df5fd2f1963d4bbb94c341e87
SHA256

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382
SHA512

4bbbe4f6fc0cf1fbe1ae30d3f1fe9356b5bdb08ef60dbecca42e32c3d6208b47db9c9087c1542f5f21c1f8a7a0e4951f2e7cc13f4fd336aed2fb3ca99cf487bf

Score

10^/10

rms evasion persistence rat spyware stealer trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 8 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wmiprvse.execonhost.exereg.exereg.exereg.exereg.exereg.execonhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wmiprvse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Executes dropped EXE 8 IoCs

Processes:

inerstelar.exekey.exermsbuild.exesysdisk.exesvnhost.exesysdisk.exemngrdevice.exewinsystem.exe

pid process

1316 inerstelar.exe
1596 key.exe
1940 rmsbuild.exe
1564 sysdisk.exe
1160 svnhost.exe
1224 sysdisk.exe
1616 mngrdevice.exe
856 winsystem.exe

pid	process
1316	inerstelar.exe
1596	key.exe
1940	rmsbuild.exe
1564	sysdisk.exe
1160	svnhost.exe
1224	sysdisk.exe
1616	mngrdevice.exe
856	winsystem.exe

Modifies Windows Firewall 1 TTPs 16 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2000	netsh.exe
1016	netsh.exe
1432	netsh.exe
440	netsh.exe
1612	netsh.exe
1712	netsh.exe
2008	netsh.exe
1544	netsh.exe
2032	netsh.exe
1876	netsh.exe
2028	netsh.exe
860	netsh.exe
1512	netsh.exe
1496	netsh.exe
1952	netsh.exe
1904	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1160-129-0x0000000010000000-0x000000001005A000-memory.dmp	upx
behavioral1/memory/1160-128-0x0000000010000000-0x000000001005A000-memory.dmp	upx
behavioral1/memory/1160-132-0x00000000034D0000-0x000000000352A000-memory.dmp	upx
behavioral1/memory/1160-131-0x00000000034D0000-0x000000000352A000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sysdisk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\International\Geo\Nation	sysdisk.exe

Loads dropped DLL 11 IoCs

Processes:

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exermsbuild.exeinerstelar.execmd.exesvnhost.execmd.exe

pid	process
2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
1940	rmsbuild.exe
1316	inerstelar.exe
1316	inerstelar.exe
1960	cmd.exe
1160	svnhost.exe
1160	svnhost.exe
952	cmd.exe
952	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mngrdevice.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Windows = "C:\\Windows\\keylog\\mngrdevice.exe"	mngrdevice.exe

Drops file in Windows directory 10 IoCs

Processes:

mngrdevice.exermsbuild.exekey.exe

description	ioc	process
File created	C:\Windows\keylog\libeay32.dll	mngrdevice.exe
File created	C:\Windows\System64\winsystem.exe	rmsbuild.exe
File opened for modification	C:\Windows\keylog\mngrdevice.exe	key.exe
File created	C:\Windows\System64\vp8encoder.dll	rmsbuild.exe
File created	C:\Windows\System64\sysdisk.exe	rmsbuild.exe
File created	C:\Windows\keylog\ssleay32.dll	mngrdevice.exe
File created	C:\Windows\setlibrecini.ini	rmsbuild.exe
File created	C:\Windows\System64\service.bat	rmsbuild.exe
File created	C:\Windows\keylog\mngrdevice.exe	key.exe
File created	C:\Windows\System64\vp8decoder.dll	rmsbuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1972 systeminfo.exe
Modifies registry key 1 TTPs 8 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

288 reg.exe
1920 reg.exe
1300 reg.exe
1168 reg.exe
1744 reg.exe
1680 reg.exe
1572 reg.exe
2012 reg.exe

pid	process
1972	systeminfo.exe

pid	process
288	reg.exe
1920	reg.exe
1300	reg.exe
1168	reg.exe
1744	reg.exe
1680	reg.exe
1572	reg.exe
2012	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exesysdisk.exesysdisk.exesvnhost.exe

pid	process
2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
1564	sysdisk.exe
1564	sysdisk.exe
1564	sysdisk.exe
1564	sysdisk.exe
1564	sysdisk.exe
1224	sysdisk.exe
1224	sysdisk.exe
1224	sysdisk.exe
1224	sysdisk.exe
1160	svnhost.exe
1160	svnhost.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exesysdisk.exepowercfg.exesysdisk.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	948	powercfg.exe
Token: SeShutdownPrivilege	948	powercfg.exe
Token: SeShutdownPrivilege	948	powercfg.exe
Token: SeShutdownPrivilege	948	powercfg.exe
Token: SeShutdownPrivilege	948	powercfg.exe
Token: SeCreatePagefilePrivilege	948	powercfg.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeCreatePagefilePrivilege	1884	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeCreatePagefilePrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	904	conhost.exe
Token: SeShutdownPrivilege	904	conhost.exe
Token: SeShutdownPrivilege	904	conhost.exe
Token: SeShutdownPrivilege	904	conhost.exe
Token: SeShutdownPrivilege	904	conhost.exe
Token: SeCreatePagefilePrivilege	904	conhost.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeCreatePagefilePrivilege	1912	powercfg.exe
Token: SeShutdownPrivilege	1016	powercfg.exe
Token: SeShutdownPrivilege	1016	powercfg.exe
Token: SeShutdownPrivilege	1016	powercfg.exe
Token: SeShutdownPrivilege	1016	powercfg.exe
Token: SeShutdownPrivilege	1016	powercfg.exe
Token: SeCreatePagefilePrivilege	1016	powercfg.exe
Token: SeDebugPrivilege	1564	sysdisk.exe
Token: SeShutdownPrivilege	1356	powercfg.exe
Token: SeShutdownPrivilege	1356	powercfg.exe
Token: SeShutdownPrivilege	1356	powercfg.exe
Token: SeShutdownPrivilege	1356	powercfg.exe
Token: SeShutdownPrivilege	1356	powercfg.exe
Token: SeCreatePagefilePrivilege	1356	powercfg.exe
Token: SeTakeOwnershipPrivilege	1224	sysdisk.exe
Token: SeTcbPrivilege	1224	sysdisk.exe
Token: SeTcbPrivilege	1224	sysdisk.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeCreatePagefilePrivilege	1632	powercfg.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

key.exermsbuild.exesysdisk.exesysdisk.exemngrdevice.exe

pid	process
1596	key.exe
1940	rmsbuild.exe
1940	rmsbuild.exe
1564	sysdisk.exe
1564	sysdisk.exe
1564	sysdisk.exe
1564	sysdisk.exe
1224	sysdisk.exe
1224	sysdisk.exe
1224	sysdisk.exe
1224	sysdisk.exe
1616	mngrdevice.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exeinerstelar.exe

description	pid	process	target process
PID 2024 wrote to memory of 1744	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 1744	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 1744	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 1744	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 948	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 948	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 948	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 948	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 2008	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 2008	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 2008	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 2008	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 2000	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 2000	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 2000	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 2000	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 1316	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	inerstelar.exe
PID 2024 wrote to memory of 1316	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	inerstelar.exe
PID 2024 wrote to memory of 1316	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	inerstelar.exe
PID 2024 wrote to memory of 1316	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	inerstelar.exe
PID 2024 wrote to memory of 1680	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 1680	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 1680	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 1680	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 1884	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 1884	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 1884	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 1884	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 1016	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 1016	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 1016	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 1016	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	powercfg.exe
PID 2024 wrote to memory of 860	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 860	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 860	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 2024 wrote to memory of 860	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	netsh.exe
PID 1316 wrote to memory of 1432	1316	inerstelar.exe	netsh.exe
PID 1316 wrote to memory of 1432	1316	inerstelar.exe	netsh.exe
PID 1316 wrote to memory of 1432	1316	inerstelar.exe	netsh.exe
PID 1316 wrote to memory of 1432	1316	inerstelar.exe	netsh.exe
PID 1316 wrote to memory of 1904	1316	inerstelar.exe	netsh.exe
PID 1316 wrote to memory of 1904	1316	inerstelar.exe	netsh.exe
PID 1316 wrote to memory of 1904	1316	inerstelar.exe	netsh.exe
PID 1316 wrote to memory of 1904	1316	inerstelar.exe	netsh.exe
PID 2024 wrote to memory of 1596	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	key.exe
PID 2024 wrote to memory of 1596	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	key.exe
PID 2024 wrote to memory of 1596	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	key.exe
PID 2024 wrote to memory of 1596	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	key.exe
PID 1316 wrote to memory of 1572	1316	inerstelar.exe	reg.exe
PID 1316 wrote to memory of 1572	1316	inerstelar.exe	reg.exe
PID 1316 wrote to memory of 1572	1316	inerstelar.exe	reg.exe
PID 1316 wrote to memory of 1572	1316	inerstelar.exe	reg.exe
PID 1316 wrote to memory of 2044	1316	inerstelar.exe	powercfg.exe
PID 1316 wrote to memory of 2044	1316	inerstelar.exe	powercfg.exe
PID 1316 wrote to memory of 2044	1316	inerstelar.exe	powercfg.exe
PID 1316 wrote to memory of 2044	1316	inerstelar.exe	powercfg.exe
PID 2024 wrote to memory of 2012	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 2012	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 2012	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 2012	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	reg.exe
PID 2024 wrote to memory of 904	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	conhost.exe
PID 2024 wrote to memory of 904	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	conhost.exe
PID 2024 wrote to memory of 904	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	conhost.exe
PID 2024 wrote to memory of 904	2024	8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
"C:\Users\Admin\AppData\Local\Temp\8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
- Modifies registry key
PID:1744

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
2⤵
- Modifies Windows Firewall
PID:2008

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2000

C:\Users\Admin\AppData\Local\Temp\inerstelar.exe
"C:\Users\Admin\AppData\Local\Temp\inerstelar.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:1572

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:1904

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1432

C:\Users\Admin\AppData\Local\Temp\svnhost.exe
"C:\Users\Admin\AppData\Local\Temp\svnhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:1544

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:1496

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C systeminfo
4⤵
PID:856

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C netsh wlan show networks mode=bssid
4⤵
PID:1300

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
2⤵
- Modifies Windows Firewall
PID:1016

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:860

C:\Users\Admin\AppData\Local\Temp\key.exe
"C:\Users\Admin\AppData\Local\Temp\key.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1612

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:288

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows\keylog\mngrdevice.exe"
3⤵
- Loads dropped DLL
PID:1960

C:\Windows\keylog\mngrdevice.exe
C:\Windows\keylog\mngrdevice.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- UAC bypass
- Modifies registry key
PID:1168

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
5⤵
- Modifies Windows Firewall
PID:1952

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
5⤵
- Modifies Windows Firewall
PID:2032

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
- Modifies registry key
PID:2012

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
2⤵
PID:904

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
2⤵
- Modifies Windows Firewall
PID:1876

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:440

C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe
"C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1512

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:1920

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:1712

C:\Windows\SysWOW64\powercfg.exe
powercfg.exe -h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System64\sysdisk.exe
"C:\Windows\System64\sysdisk.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\System64\sysdisk.exe
C:\Windows\System64\sysdisk.exe -second
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\System64\service.bat" "
3⤵
- Loads dropped DLL
PID:952

C:\Windows\System64\winsystem.exe
winsystem.exe /install /silent
4⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37413531-1115838337787394631260271095-1399498577-1550575336-16586521101804196716"
1⤵
- UAC bypass
PID:288

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- UAC bypass
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1179249605983682104-1119135658-75226695919307013912134044593-750440941-2093818915"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-313298714204795503-2093809785980915218-1295917972258122925-811576903835092896"
1⤵
- UAC bypass
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-539312482-10954194241779308706-14704845521776876312-2855983688219138-1778331942"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20808106186806756-1242907773-1403845046-176882123820108127341860282369-1911956101"
1⤵
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\inerstelar.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\inerstelar.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\key.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\key.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe
Filesize
17.6MB

MD5
3c953c3b4bcb16d9bcadad3388e20711

SHA1
17576d534a1d00e57b711ade93b7c57a89e1b7ad

SHA256
e8751e712a4539d6b74905370c99eaac8450ce1da5bd7fbd7ad85243b029a5da

SHA512
66e639c137da983bd272f69c117c278fdece7255dd75b309897551e70964cc34bd4cbf36d51f79e73e343d72abe45661335fefefb95aac88fa3443ecf7535f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svnhost.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
C:\Windows\System64\service.bat
Filesize
75B

MD5
3d8ae437e61d1bfa4d58eabc2050af96

SHA1
0d96b38ec1e6ad41920dbe82b461aa12b381ad19

SHA256
b25eec1f9965466a9a32a139dd1728703833610049eb138684588d7cb2fa53b5

SHA512
d558bf211cbb6bfc1533bca5f4ab342e6720b87d0c8e7d04a78018018a624b72eb21b7a3578cdf3782dfe48bda23fce468a754bc0978464c815c1dccb3918501

Download Submit
C:\Windows\System64\sysdisk.exe
Filesize
9.0MB

MD5
92aee365c9fab710fa68b362e5910264

SHA1
a145a246311bed3c4c5e14332618795a189e13a4

SHA256
0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713

SHA512
6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9

Download Submit
C:\Windows\System64\sysdisk.exe
Filesize
9.0MB

MD5
92aee365c9fab710fa68b362e5910264

SHA1
a145a246311bed3c4c5e14332618795a189e13a4

SHA256
0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713

SHA512
6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9

Download Submit
C:\Windows\System64\sysdisk.exe
Filesize
9.0MB

MD5
92aee365c9fab710fa68b362e5910264

SHA1
a145a246311bed3c4c5e14332618795a189e13a4

SHA256
0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713

SHA512
6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9

Download Submit
C:\Windows\System64\vp8decoder.dll
Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll
Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\System64\winsystem.exe
Filesize
685KB

MD5
d01414473916d6597cc43c82cf049b76

SHA1
1dbbc71286fc535d1c91c57b9641869545dfa3c9

SHA256
fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad

SHA512
5def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b

Download Submit
C:\Windows\System64\winsystem.exe
Filesize
685KB

MD5
d01414473916d6597cc43c82cf049b76

SHA1
1dbbc71286fc535d1c91c57b9641869545dfa3c9

SHA256
fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad

SHA512
5def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b

Download Submit
C:\Windows\keylog\mngrdevice.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
C:\Windows\keylog\mngrdevice.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\inerstelar.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
\Users\Admin\AppData\Local\Temp\inerstelar.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
\Users\Admin\AppData\Local\Temp\key.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
\Users\Admin\AppData\Local\Temp\libeay32.dll
Filesize
1.3MB

MD5
c39b8d8bd482b717ebdd17dcae374c9b

SHA1
abe57f749650fdebbaa6792e3676294c20db6abe

SHA256
0e8006f941ad484931369e96d4319e526e62c3e802b8917d2693074e2e0451af

SHA512
2c9f749541b1fa7d9ff2e4f4182ec81824c71c7306e95cf84f93a5b21dbd0fba40f3e0bb10782742f3b84aaee928bac65f75d3226ecb44e41c27fc6219679667

Download Submit
\Users\Admin\AppData\Local\Temp\rmsbuild.exe
Filesize
17.6MB

MD5
3c953c3b4bcb16d9bcadad3388e20711

SHA1
17576d534a1d00e57b711ade93b7c57a89e1b7ad

SHA256
e8751e712a4539d6b74905370c99eaac8450ce1da5bd7fbd7ad85243b029a5da

SHA512
66e639c137da983bd272f69c117c278fdece7255dd75b309897551e70964cc34bd4cbf36d51f79e73e343d72abe45661335fefefb95aac88fa3443ecf7535f1f

Download Submit
\Users\Admin\AppData\Local\Temp\ssleay32.dll
Filesize
349KB

MD5
89172a85c3b07bff7541720d42d31bc6

SHA1
4685df166f9a64d02c86d7966d4d3a7fa18b3106

SHA256
9594efa47fa162756ad19c7fb7e7c7c09d97f505daf6280f6d9a130f76264350

SHA512
1e9f56f89f5f57be88b95836626ffafe54e58a41cb7c1851bb1933ca056e2c8aaf08aa6e7509e0b22f358c727c554c2a7a7cbe7da3d13dd0c42f9084413b468c

Download Submit
\Users\Admin\AppData\Local\Temp\svnhost.exe
Filesize
5.0MB

MD5
3afea909809bf8dc784a478de7488b21

SHA1
16ad26d1a5097f15dcfa96fec1f96b67c1a595c4

SHA256
12c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928

SHA512
efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d

Download Submit
\Windows\System64\sysdisk.exe
Filesize
9.0MB

MD5
92aee365c9fab710fa68b362e5910264

SHA1
a145a246311bed3c4c5e14332618795a189e13a4

SHA256
0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713

SHA512
6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9

Download Submit
\Windows\System64\winsystem.exe
Filesize
685KB

MD5
d01414473916d6597cc43c82cf049b76

SHA1
1dbbc71286fc535d1c91c57b9641869545dfa3c9

SHA256
fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad

SHA512
5def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b

Download Submit
\Windows\System64\winsystem.exe
Filesize
685KB

MD5
d01414473916d6597cc43c82cf049b76

SHA1
1dbbc71286fc535d1c91c57b9641869545dfa3c9

SHA256
fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad

SHA512
5def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b

Download Submit
\Windows\keylog\mngrdevice.exe
Filesize
6.0MB

MD5
1917fa3536d6eb098105b5a3e7f89a37

SHA1
defeddab06cb646c8cf837ebaf3f512872cd745c

SHA256
6dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7

SHA512
954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19

Download Submit
memory/288-95-0x0000000000000000-mapping.dmp

Download
memory/440-89-0x0000000000000000-mapping.dmp

Download
memory/856-163-0x0000000000000000-mapping.dmp

Download
memory/856-133-0x0000000000000000-mapping.dmp

Download
memory/860-70-0x0000000000000000-mapping.dmp

Download
memory/904-86-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x0000000000000000-mapping.dmp

Download
memory/952-158-0x0000000000000000-mapping.dmp

Download
memory/1016-108-0x0000000000000000-mapping.dmp

Download
memory/1016-69-0x0000000000000000-mapping.dmp

Download
memory/1160-131-0x00000000034D0000-0x000000000352A000-memory.dmp

Filesize
360KB

Download
memory/1160-132-0x00000000034D0000-0x000000000352A000-memory.dmp

Filesize
360KB

Download
memory/1160-129-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1160-119-0x0000000000000000-mapping.dmp

Download
memory/1160-128-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1168-148-0x0000000000000000-mapping.dmp

Download
memory/1300-153-0x0000000000000000-mapping.dmp

Download
memory/1300-124-0x0000000000000000-mapping.dmp

Download
memory/1316-63-0x0000000000000000-mapping.dmp

Download
memory/1356-125-0x0000000000000000-mapping.dmp

Download
memory/1432-73-0x0000000000000000-mapping.dmp

Download
memory/1496-123-0x0000000000000000-mapping.dmp

Download
memory/1512-104-0x0000000000000000-mapping.dmp

Download
memory/1544-122-0x0000000000000000-mapping.dmp

Download
memory/1564-112-0x0000000000000000-mapping.dmp

Download
memory/1572-77-0x0000000000000000-mapping.dmp

Download
memory/1596-76-0x0000000000000000-mapping.dmp

Download
memory/1612-90-0x0000000000000000-mapping.dmp

Download
memory/1616-140-0x0000000000000000-mapping.dmp

Download
memory/1632-149-0x0000000000000000-mapping.dmp

Download
memory/1680-66-0x0000000000000000-mapping.dmp

Download
memory/1712-105-0x0000000000000000-mapping.dmp

Download
memory/1744-55-0x0000000000000000-mapping.dmp

Download
memory/1876-87-0x0000000000000000-mapping.dmp

Download
memory/1884-67-0x0000000000000000-mapping.dmp

Download
memory/1904-74-0x0000000000000000-mapping.dmp

Download
memory/1912-96-0x0000000000000000-mapping.dmp

Download
memory/1920-106-0x0000000000000000-mapping.dmp

Download
memory/1940-94-0x0000000000000000-mapping.dmp

Download
memory/1952-147-0x0000000000000000-mapping.dmp

Download
memory/1960-137-0x0000000000000000-mapping.dmp

Download
memory/1972-134-0x0000000000000000-mapping.dmp

Download
memory/2000-59-0x0000000000000000-mapping.dmp

Download
memory/2008-58-0x0000000000000000-mapping.dmp

Download
memory/2012-85-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/2028-92-0x0000000000000000-mapping.dmp

Download
memory/2032-146-0x0000000000000000-mapping.dmp

Download
memory/2032-154-0x0000000000000000-mapping.dmp

Download
memory/2044-78-0x0000000000000000-mapping.dmp

Download