rms | fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117

Analysis

max time kernel
153s
max time network
161s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe
Size

2.0MB
MD5

f1c647b4a3319a764fd6e8ed0ce85ff1
SHA1

900b636dc9e88874f72ff119315091a5cacf0452
SHA256

fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117
SHA512

bd3e4aeb733dd7ef72ee58a55b1efae71bd6afa49e9fe3e5d49c1fac6f60c3beec77f6bf1d230d7e836d03f2bd6c119025189edcbb69ad783bc310f12db9accf
SSDEEP

49152:a1LwvJ8WH0S6nBiSlqo5ulwGULRbI2I4kk7Ykg8p3pxgN0:sIcNqlwJL1XLkvyp3peO

Score

10^/10

rms evasion persistence rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 2 IoCs

Processes:

svnhost.exesvnhost.exe

pid process

484 svnhost.exe
1952 svnhost.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1824 attrib.exe

pid	process
1824	attrib.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1544-55-0x0000000000400000-0x0000000000AD5000-memory.dmp	upx
behavioral1/memory/1544-74-0x0000000000400000-0x0000000000AD5000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

cmd.exesvnhost.exesvnhost.exe

pid process

1324 cmd.exe
1324 cmd.exe
484 svnhost.exe
1952 svnhost.exe

pid	process
1324	cmd.exe
1324	cmd.exe
484	svnhost.exe
1952	svnhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svnhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	svnhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\svnhost.exe = "C:\\Users\\Admin\\esfero\\svnhost.exe"	svnhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

712 taskkill.exe
2004 taskkill.exe
1336 taskkill.exe
916 taskkill.exe

pid	process
712	taskkill.exe
2004	taskkill.exe
1336	taskkill.exe
916	taskkill.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

svnhost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000350022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\InternetId = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000350022003e003c0069006e007400650072006e00650074005f00690064003e003400320036002d003500380032002d003500350033003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e0074007200750065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003100390034002e00350038002e00390032002e00350039003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e0074007200750065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e003400340033003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00	svnhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\rnd = 3800320032003900320036003000	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\InternetId = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000350022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003100390034002e00350038002e00390032002e00350039003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e0074007200750065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e003400340033003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\Password = 41004300340032004500310039003600350041003900430030003700340030003900310038003900350046003900380044003800460046004300410042004400330032004200380035003800340035003700420035004300380041003900370038003700300030003200350038003300430041003200460030003700430036004200360041003600350033003400360037004100450041003100390030004100330032003600360042004300330034003600360035003900390033004100370039003100360044003500380035004200430033004100370030003000430037003600340036003300440042003600360044004500450044003300360043004600	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\Options = 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70090c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f67557365080553696449640610312e30303030313133313934343434340d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303035223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a0a4164646974696f6e616c0607383636323337311144697361626c65496e7465726e65744964080b536166654d6f6465536574080000	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Certificates\notification = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e007a00650072006f0074007400690031003300400067006d00610069006c002e0063006f006d003c002f0065006d00610069006c003e003c00690064003e003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00	svnhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svnhost.exesvnhost.exe

pid	process
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
1952	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe
484	svnhost.exe
1952	svnhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exesvnhost.exesvnhost.exe

description	pid	process
Token: SeDebugPrivilege	712	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	484	svnhost.exe
Token: SeTakeOwnershipPrivilege	1952	svnhost.exe
Token: SeTcbPrivilege	1952	svnhost.exe
Token: SeTcbPrivilege	1952	svnhost.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.execmd.exe

description	pid	process	target process
PID 1544 wrote to memory of 1324	1544	fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe	cmd.exe
PID 1544 wrote to memory of 1324	1544	fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe	cmd.exe
PID 1544 wrote to memory of 1324	1544	fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe	cmd.exe
PID 1544 wrote to memory of 1324	1544	fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe	cmd.exe
PID 1544 wrote to memory of 1324	1544	fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe	cmd.exe
PID 1544 wrote to memory of 1324	1544	fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe	cmd.exe
PID 1544 wrote to memory of 1324	1544	fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe	cmd.exe
PID 1324 wrote to memory of 712	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 712	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 712	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 712	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 2004	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 2004	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 2004	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 2004	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 1336	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 1336	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 1336	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 1336	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 916	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 916	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 916	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 916	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 1824	1324	cmd.exe	attrib.exe
PID 1324 wrote to memory of 1824	1324	cmd.exe	attrib.exe
PID 1324 wrote to memory of 1824	1324	cmd.exe	attrib.exe
PID 1324 wrote to memory of 1824	1324	cmd.exe	attrib.exe
PID 1324 wrote to memory of 1616	1324	cmd.exe	reg.exe
PID 1324 wrote to memory of 1616	1324	cmd.exe	reg.exe
PID 1324 wrote to memory of 1616	1324	cmd.exe	reg.exe
PID 1324 wrote to memory of 1616	1324	cmd.exe	reg.exe
PID 1324 wrote to memory of 484	1324	cmd.exe	svnhost.exe
PID 1324 wrote to memory of 484	1324	cmd.exe	svnhost.exe
PID 1324 wrote to memory of 484	1324	cmd.exe	svnhost.exe
PID 1324 wrote to memory of 484	1324	cmd.exe	svnhost.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1824 attrib.exe

pid	process
1824	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe
"C:\Users\Admin\AppData\Local\Temp\fd2658a7e96f5babb9efc15b7df7c10da1c25593b3f9ad9b36c6148037503117.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\A130.tmp\install.cmd" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im anvir.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svnhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\esfero"
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0 /f
3⤵
PID:1616

C:\Users\Admin\esfero\svnhost.exe
"C:\Users\Admin\esfero\svnhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Users\Admin\esfero\svnhost.exe
C:\Users\Admin\esfero\svnhost.exe -second
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A130.tmp\config.dll
Filesize
3KB

MD5
60a5af64444025fa178663b9eb0acf9b

SHA1
2496e6d17b004691d6d6d376ef7167d3cf2d7696

SHA256
c2ee8525e919ec1e25ae08d68fa36e9d05b4ff91d079383b0f4f179e7cbe6e72

SHA512
c6ac9635485e10718cdb55aa69b9ed96f7890fd3e6dc5d34d6dad71c5ba46b723d4fa3aba2af08eb3ac4c622867de68753b782d5acece201d735f631c5178c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A130.tmp\install.cmd
Filesize
727B

MD5
904baf72350e0cb0e017f3a7e4f77fa0

SHA1
f4243a8ff390bd39c29770551d6930d10833442e

SHA256
dceaa357c758d119f2f39fe6862383838f6fcaef101c05537e47210fc9481064

SHA512
61c89c7722d72da805bbb2299ade6d6b28cbb1ffbb3d3edd19b852bf936e4c19da13d613ed5587dc135a5b486fa3962167d350692326c21897aeed37223e22b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A130.tmp\rinit.dll
Filesize
105KB

MD5
e6f7d187d02963939ab83b2ad3c882b5

SHA1
39d3c3a17d3f9a5053f6c31dc294d6280e205bbf

SHA256
341ab84d9affe7601bf208e50db4f233cf842a8f4111512a7e92a4497afc39ab

SHA512
a90a641976a3bd5a01e5384c8806a0bb2060b715b1810c3af6f04052e3753deba18543833cd36eec4c027feae877921d84e97bb85cb0099c4273a4ca65f3fd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\A130.tmp\settings.ini
Filesize
216B

MD5
3cad3164a2b97bfc42d0b2f6ece16277

SHA1
2827951280f111438978a5edea6072226f6531f0

SHA256
bc766165d148079417520e4b9cb19271b5e76abeacc428138f8d41f43db55c2e

SHA512
f07b3d73ba2d511184ef2a62b1e1ad7886f66e8e7a6b18ba1daa477e2a5264b7c713a73f3b37030479a47fd57629b326b40b89f9ab3ae764d5843b00047ea507

Download Submit
C:\Users\Admin\AppData\Local\Temp\A130.tmp\svnhost.exe
Filesize
5.6MB

MD5
d9931b2ccc0ce9ea776e3a711900e3e8

SHA1
31d5eef2736314a9dca3e15a51f85b0f9b0d23a8

SHA256
698a0d0fe809d1a1284201130c4d042880bd3a4dc8e4c0acb718a879ec8644e9

SHA512
6aef12502d6706c354556087c00864b796088f33bd92bcb867077e3993dd9519bd22dca6ce078b56b04f7592101865422e20e132e88f52dc3e02694570504cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A130.tmp\vp8decoder.dll
Filesize
403KB

MD5
6b04788094ecd05d610dbc0367fe49da

SHA1
23272fd3c0b4a808e94665e0e1b32dcdef31aa58

SHA256
efcb21b1caa11c8f876238beda8411b9acf4baf8a9acf946a679e120b75ad2d5

SHA512
e44bd76322df4c8cbd3a1633abe52f09732cbe1a83e80be5db7eb6b983b3898730451298df417788cda4392dfab83be3b7065e52fb43217fc5e5f719f5a3f68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A130.tmp\vp8encoder.dll
Filesize
685KB

MD5
b5b4a8455605319035a6392015df9edd

SHA1
702b4f6cee4b4708b9a55d561fac45738b058484

SHA256
27e0311c8b709899a31f4f16f79e6dfa2e0a6922e8f3dad56d1ade26432d443b

SHA512
8a4d84c82c506fb06efde4d6d7c304a518d385c3371284b1fdbcda7a9945301ec970aad06e0d541a79c9843a2c73a31de7571580351a375b91538ec34179c666

Download Submit
C:\Users\Admin\esfero\config.dll
Filesize
3KB

MD5
60a5af64444025fa178663b9eb0acf9b

SHA1
2496e6d17b004691d6d6d376ef7167d3cf2d7696

SHA256
c2ee8525e919ec1e25ae08d68fa36e9d05b4ff91d079383b0f4f179e7cbe6e72

SHA512
c6ac9635485e10718cdb55aa69b9ed96f7890fd3e6dc5d34d6dad71c5ba46b723d4fa3aba2af08eb3ac4c622867de68753b782d5acece201d735f631c5178c7f

Download Submit
C:\Users\Admin\esfero\rinit.dll
Filesize
105KB

MD5
e6f7d187d02963939ab83b2ad3c882b5

SHA1
39d3c3a17d3f9a5053f6c31dc294d6280e205bbf

SHA256
341ab84d9affe7601bf208e50db4f233cf842a8f4111512a7e92a4497afc39ab

SHA512
a90a641976a3bd5a01e5384c8806a0bb2060b715b1810c3af6f04052e3753deba18543833cd36eec4c027feae877921d84e97bb85cb0099c4273a4ca65f3fd81

Download Submit
C:\Users\Admin\esfero\settings.ini
Filesize
216B

MD5
3cad3164a2b97bfc42d0b2f6ece16277

SHA1
2827951280f111438978a5edea6072226f6531f0

SHA256
bc766165d148079417520e4b9cb19271b5e76abeacc428138f8d41f43db55c2e

SHA512
f07b3d73ba2d511184ef2a62b1e1ad7886f66e8e7a6b18ba1daa477e2a5264b7c713a73f3b37030479a47fd57629b326b40b89f9ab3ae764d5843b00047ea507

Download Submit
C:\Users\Admin\esfero\svnhost.exe
Filesize
5.6MB

MD5
d9931b2ccc0ce9ea776e3a711900e3e8

SHA1
31d5eef2736314a9dca3e15a51f85b0f9b0d23a8

SHA256
698a0d0fe809d1a1284201130c4d042880bd3a4dc8e4c0acb718a879ec8644e9

SHA512
6aef12502d6706c354556087c00864b796088f33bd92bcb867077e3993dd9519bd22dca6ce078b56b04f7592101865422e20e132e88f52dc3e02694570504cb4

Download Submit
C:\Users\Admin\esfero\svnhost.exe
Filesize
5.6MB

MD5
d9931b2ccc0ce9ea776e3a711900e3e8

SHA1
31d5eef2736314a9dca3e15a51f85b0f9b0d23a8

SHA256
698a0d0fe809d1a1284201130c4d042880bd3a4dc8e4c0acb718a879ec8644e9

SHA512
6aef12502d6706c354556087c00864b796088f33bd92bcb867077e3993dd9519bd22dca6ce078b56b04f7592101865422e20e132e88f52dc3e02694570504cb4

Download Submit
C:\Users\Admin\esfero\svnhost.exe
Filesize
5.6MB

MD5
d9931b2ccc0ce9ea776e3a711900e3e8

SHA1
31d5eef2736314a9dca3e15a51f85b0f9b0d23a8

SHA256
698a0d0fe809d1a1284201130c4d042880bd3a4dc8e4c0acb718a879ec8644e9

SHA512
6aef12502d6706c354556087c00864b796088f33bd92bcb867077e3993dd9519bd22dca6ce078b56b04f7592101865422e20e132e88f52dc3e02694570504cb4

Download Submit
C:\Users\Admin\esfero\vp8decoder.dll
Filesize
403KB

MD5
6b04788094ecd05d610dbc0367fe49da

SHA1
23272fd3c0b4a808e94665e0e1b32dcdef31aa58

SHA256
efcb21b1caa11c8f876238beda8411b9acf4baf8a9acf946a679e120b75ad2d5

SHA512
e44bd76322df4c8cbd3a1633abe52f09732cbe1a83e80be5db7eb6b983b3898730451298df417788cda4392dfab83be3b7065e52fb43217fc5e5f719f5a3f68e

Download Submit
C:\Users\Admin\esfero\vp8encoder.dll
Filesize
685KB

MD5
b5b4a8455605319035a6392015df9edd

SHA1
702b4f6cee4b4708b9a55d561fac45738b058484

SHA256
27e0311c8b709899a31f4f16f79e6dfa2e0a6922e8f3dad56d1ade26432d443b

SHA512
8a4d84c82c506fb06efde4d6d7c304a518d385c3371284b1fdbcda7a9945301ec970aad06e0d541a79c9843a2c73a31de7571580351a375b91538ec34179c666

Download Submit
\Users\Admin\esfero\rinit.dll
Filesize
105KB

MD5
e6f7d187d02963939ab83b2ad3c882b5

SHA1
39d3c3a17d3f9a5053f6c31dc294d6280e205bbf

SHA256
341ab84d9affe7601bf208e50db4f233cf842a8f4111512a7e92a4497afc39ab

SHA512
a90a641976a3bd5a01e5384c8806a0bb2060b715b1810c3af6f04052e3753deba18543833cd36eec4c027feae877921d84e97bb85cb0099c4273a4ca65f3fd81

Download Submit
\Users\Admin\esfero\rinit.dll
Filesize
105KB

MD5
e6f7d187d02963939ab83b2ad3c882b5

SHA1
39d3c3a17d3f9a5053f6c31dc294d6280e205bbf

SHA256
341ab84d9affe7601bf208e50db4f233cf842a8f4111512a7e92a4497afc39ab

SHA512
a90a641976a3bd5a01e5384c8806a0bb2060b715b1810c3af6f04052e3753deba18543833cd36eec4c027feae877921d84e97bb85cb0099c4273a4ca65f3fd81

Download Submit
\Users\Admin\esfero\svnhost.exe
Filesize
5.6MB

MD5
d9931b2ccc0ce9ea776e3a711900e3e8

SHA1
31d5eef2736314a9dca3e15a51f85b0f9b0d23a8

SHA256
698a0d0fe809d1a1284201130c4d042880bd3a4dc8e4c0acb718a879ec8644e9

SHA512
6aef12502d6706c354556087c00864b796088f33bd92bcb867077e3993dd9519bd22dca6ce078b56b04f7592101865422e20e132e88f52dc3e02694570504cb4

Download Submit
\Users\Admin\esfero\svnhost.exe
Filesize
5.6MB

MD5
d9931b2ccc0ce9ea776e3a711900e3e8

SHA1
31d5eef2736314a9dca3e15a51f85b0f9b0d23a8

SHA256
698a0d0fe809d1a1284201130c4d042880bd3a4dc8e4c0acb718a879ec8644e9

SHA512
6aef12502d6706c354556087c00864b796088f33bd92bcb867077e3993dd9519bd22dca6ce078b56b04f7592101865422e20e132e88f52dc3e02694570504cb4

Download Submit
memory/484-72-0x0000000000000000-mapping.dmp

Download
memory/712-58-0x0000000000000000-mapping.dmp

Download
memory/916-61-0x0000000000000000-mapping.dmp

Download
memory/1324-56-0x0000000000000000-mapping.dmp

Download
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/1544-54-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1544-55-0x0000000000400000-0x0000000000AD5000-memory.dmp

Filesize
6.8MB

Download
memory/1544-74-0x0000000000400000-0x0000000000AD5000-memory.dmp

Filesize
6.8MB

Download
memory/1616-69-0x0000000000000000-mapping.dmp

Download
memory/1824-62-0x0000000000000000-mapping.dmp

Download
memory/2004-59-0x0000000000000000-mapping.dmp

Download