Malware Analysis Report

2024-11-13 16:21

Sample ID 220516-b781jsbeaq
Target 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA256 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
Tags
rms persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae

Threat Level: Known bad

The file 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae was found to be: Known bad.

Malicious Activity Summary

rms persistence rat trojan

RMS

Modifies WinLogon for persistence

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-16 01:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-16 01:48

Reported

2022-05-16 01:50

Platform

win7-20220414-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1svnhost.exe, explorer.exe" C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Windows\System64\1svnhost.exe N/A

RMS

trojan rat rms

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System64\1svnhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System64\1svnhost.exe C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
File created C:\Windows\Zont911\Home.zip C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\vp8decoder.dll C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\System64\systemsmss.exe C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\1svnhost.exe C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
File created C:\Windows\Zont911\Regedit.reg C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\System64\vp8decoder.dll C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\System64\vp8encoder.dll C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\vp8encoder.dll C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\System64\svnhost.exe C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\svnhost.exe C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\systemsmss.exe C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\Zont911\Tupe.bat C:\Windows\System64\1svnhost.exe N/A

Enumerates physical storage devices

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A
N/A N/A C:\Windows\System64\1svnhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System64\svnhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System64\svnhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System64\svnhost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System64\svnhost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System64\svnhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System64\svnhost.exe N/A
N/A N/A C:\Windows\System64\svnhost.exe N/A
N/A N/A C:\Windows\System64\svnhost.exe N/A
N/A N/A C:\Windows\System64\svnhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe C:\Windows\System64\1svnhost.exe
PID 836 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe C:\Windows\System64\1svnhost.exe
PID 836 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe C:\Windows\System64\1svnhost.exe
PID 836 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe C:\Windows\System64\1svnhost.exe
PID 1444 wrote to memory of 1248 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\regedit.exe
PID 1444 wrote to memory of 1248 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\regedit.exe
PID 1444 wrote to memory of 1248 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\regedit.exe
PID 1444 wrote to memory of 1248 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\regedit.exe
PID 1444 wrote to memory of 844 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 844 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 844 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 844 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 844 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 844 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 844 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 844 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 844 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 1400 wrote to memory of 1704 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 1400 wrote to memory of 1704 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 1400 wrote to memory of 1704 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 1400 wrote to memory of 1704 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 1400 wrote to memory of 976 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 1400 wrote to memory of 976 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 1400 wrote to memory of 976 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 1400 wrote to memory of 976 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe

"C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe"

C:\Windows\System64\1svnhost.exe

"C:\Windows\System64\1svnhost.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\Zont911\Tupe.bat" "

C:\Windows\SysWOW64\chcp.com

Chcp 1251

C:\Windows\System64\svnhost.exe

"C:\Windows\System64\svnhost.exe" /silentinstall

C:\Windows\System64\svnhost.exe

"C:\Windows\System64\svnhost.exe" /firewall

C:\Windows\System64\svnhost.exe

"C:\Windows\System64\svnhost.exe" /start

C:\Windows\System64\svnhost.exe

C:\Windows\System64\svnhost.exe

C:\Windows\System64\systemsmss.exe

C:\Windows\System64\systemsmss.exe

C:\Windows\System64\systemsmss.exe

C:\Windows\System64\systemsmss.exe /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/836-54-0x0000000075381000-0x0000000075383000-memory.dmp

\Windows\System64\1svnhost.exe

MD5 f9c019b6a0f1ce8802a8aaeea86e496d
SHA1 7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512 5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

memory/1444-57-0x0000000000000000-mapping.dmp

C:\Windows\System64\1svnhost.exe

MD5 f9c019b6a0f1ce8802a8aaeea86e496d
SHA1 7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512 5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

\Windows\System64\1svnhost.exe

MD5 f9c019b6a0f1ce8802a8aaeea86e496d
SHA1 7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512 5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

C:\Windows\System64\1svnhost.exe

MD5 f9c019b6a0f1ce8802a8aaeea86e496d
SHA1 7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512 5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

\Windows\System64\1svnhost.exe

MD5 f9c019b6a0f1ce8802a8aaeea86e496d
SHA1 7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512 5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

memory/1248-62-0x0000000000000000-mapping.dmp

C:\Windows\Zont911\Regedit.reg

MD5 44e6200c79b9f46a3d07ad377f5518e9
SHA1 242c27b3e44bec53a770baba126fc8ec1dd0c066
SHA256 2bbb7428d9666fd7fbfa86d01c7c1512016c72eb1a05bf5d6a4589f1c1de1700
SHA512 33e4504feacceab47a159123f9d241ff128676dbfd20ce51eae94c12a82faae52566008fc45dd02bc71d5477ca7cd8b6349986e8d727594d52a2f9cb9c75effb

memory/844-65-0x0000000000000000-mapping.dmp

memory/964-67-0x0000000000000000-mapping.dmp

C:\Windows\Zont911\Tupe.bat

MD5 bc3fb74a6cbcbb208a35ef91ef1eddf9
SHA1 b9e97c0863038d2506123ae53534d2803954a89d
SHA256 e351c2afdfe0a3555ce0da5b09913ed353a331e2454cbe0cb9b3ebe3c6fd8f69
SHA512 4e91e3ac2bc312a2fe76296012626a2d580848a67f8f358cf78a2d8c29d65d3961f62867d113ba109f138af91209d163f589556e1d291a98fe672ff13d8ab674

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

memory/1932-70-0x0000000000000000-mapping.dmp

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

memory/1936-73-0x0000000000000000-mapping.dmp

memory/1612-76-0x0000000000000000-mapping.dmp

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

C:\Windows\System64\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Windows\System64\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Windows\System64\systemsmss.exe

MD5 bd458a26931f960f13958510e88a61a8
SHA1 be9fff29f269d649688e941e97ac03e669571837
SHA256 d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512 afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

\Windows\System64\systemsmss.exe

MD5 bd458a26931f960f13958510e88a61a8
SHA1 be9fff29f269d649688e941e97ac03e669571837
SHA256 d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512 afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

\Windows\System64\systemsmss.exe

MD5 bd458a26931f960f13958510e88a61a8
SHA1 be9fff29f269d649688e941e97ac03e669571837
SHA256 d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512 afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

memory/1704-86-0x0000000000000000-mapping.dmp

memory/976-87-0x0000000000000000-mapping.dmp

C:\Windows\System64\systemsmss.exe

MD5 bd458a26931f960f13958510e88a61a8
SHA1 be9fff29f269d649688e941e97ac03e669571837
SHA256 d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512 afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

C:\Windows\System64\systemsmss.exe

MD5 bd458a26931f960f13958510e88a61a8
SHA1 be9fff29f269d649688e941e97ac03e669571837
SHA256 d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512 afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-16 01:48

Reported

2022-05-16 01:50

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1svnhost.exe, explorer.exe" C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Windows\System64\1svnhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A

RMS

trojan rat rms

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Windows\System64\1svnhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System64\1svnhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\System64\svnhost.exe C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\System64\systemsmss.exe C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\systemsmss.exe C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\1svnhost.exe C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
File created C:\Windows\Zont911\Regedit.reg C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\Zont911\Home.zip C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\vp8decoder.dll C:\Windows\System64\1svnhost.exe N/A
File opened for modification C:\Windows\System64\vp8encoder.dll C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\Zont911\Tupe.bat C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\System64\1svnhost.exe C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
File created C:\Windows\System64\vp8decoder.dll C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\System64\vp8encoder.dll C:\Windows\System64\1svnhost.exe N/A
File created C:\Windows\System64\svnhost.exe C:\Windows\System64\1svnhost.exe N/A

Enumerates physical storage devices

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System64\svnhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System64\svnhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System64\svnhost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System64\svnhost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System64\svnhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System64\svnhost.exe N/A
N/A N/A C:\Windows\System64\svnhost.exe N/A
N/A N/A C:\Windows\System64\svnhost.exe N/A
N/A N/A C:\Windows\System64\svnhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe C:\Windows\System64\1svnhost.exe
PID 5000 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe C:\Windows\System64\1svnhost.exe
PID 5000 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe C:\Windows\System64\1svnhost.exe
PID 1956 wrote to memory of 4200 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 4200 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 4200 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\regedit.exe
PID 1956 wrote to memory of 4156 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 4156 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 4156 N/A C:\Windows\System64\1svnhost.exe C:\Windows\SysWOW64\cmd.exe
PID 4156 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4156 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4156 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4156 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 4156 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 4156 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 4156 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 4156 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 4156 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 4156 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 4156 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 4156 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System64\svnhost.exe
PID 688 wrote to memory of 3948 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 688 wrote to memory of 3948 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 688 wrote to memory of 3948 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 688 wrote to memory of 1172 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 688 wrote to memory of 1172 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe
PID 688 wrote to memory of 1172 N/A C:\Windows\System64\svnhost.exe C:\Windows\System64\systemsmss.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe

"C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe"

C:\Windows\System64\1svnhost.exe

"C:\Windows\System64\1svnhost.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "

C:\Windows\SysWOW64\chcp.com

Chcp 1251

C:\Windows\System64\svnhost.exe

"C:\Windows\System64\svnhost.exe" /silentinstall

C:\Windows\System64\svnhost.exe

"C:\Windows\System64\svnhost.exe" /firewall

C:\Windows\System64\svnhost.exe

"C:\Windows\System64\svnhost.exe" /start

C:\Windows\System64\svnhost.exe

C:\Windows\System64\svnhost.exe

C:\Windows\System64\systemsmss.exe

C:\Windows\System64\systemsmss.exe /tray

C:\Windows\System64\systemsmss.exe

C:\Windows\System64\systemsmss.exe

Network

Country Destination Domain Proto
NL 20.190.160.73:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 rmansys.ru udp
NL 20.190.160.8:443 tcp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 20.42.73.26:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.75:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.2:443 tcp

Files

memory/1956-130-0x0000000000000000-mapping.dmp

C:\Windows\System64\1svnhost.exe

MD5 f9c019b6a0f1ce8802a8aaeea86e496d
SHA1 7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512 5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

C:\Windows\System64\1svnhost.exe

MD5 f9c019b6a0f1ce8802a8aaeea86e496d
SHA1 7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512 5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

memory/4200-133-0x0000000000000000-mapping.dmp

C:\Windows\Zont911\Regedit.reg

MD5 44e6200c79b9f46a3d07ad377f5518e9
SHA1 242c27b3e44bec53a770baba126fc8ec1dd0c066
SHA256 2bbb7428d9666fd7fbfa86d01c7c1512016c72eb1a05bf5d6a4589f1c1de1700
SHA512 33e4504feacceab47a159123f9d241ff128676dbfd20ce51eae94c12a82faae52566008fc45dd02bc71d5477ca7cd8b6349986e8d727594d52a2f9cb9c75effb

memory/4156-135-0x0000000000000000-mapping.dmp

C:\Windows\Zont911\Tupe.bat

MD5 bc3fb74a6cbcbb208a35ef91ef1eddf9
SHA1 b9e97c0863038d2506123ae53534d2803954a89d
SHA256 e351c2afdfe0a3555ce0da5b09913ed353a331e2454cbe0cb9b3ebe3c6fd8f69
SHA512 4e91e3ac2bc312a2fe76296012626a2d580848a67f8f358cf78a2d8c29d65d3961f62867d113ba109f138af91209d163f589556e1d291a98fe672ff13d8ab674

memory/4692-137-0x0000000000000000-mapping.dmp

memory/4860-138-0x0000000000000000-mapping.dmp

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

memory/3492-141-0x0000000000000000-mapping.dmp

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

memory/4148-143-0x0000000000000000-mapping.dmp

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

C:\Windows\System64\svnhost.exe

MD5 e437e8730f2163cba2552a5a374a885a
SHA1 514497f668ae7b80a698bd8cda6de2dcf104e450
SHA256 dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6
SHA512 e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

C:\Windows\System64\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Windows\System64\systemsmss.exe

MD5 bd458a26931f960f13958510e88a61a8
SHA1 be9fff29f269d649688e941e97ac03e669571837
SHA256 d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512 afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

C:\Windows\System64\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

memory/3948-149-0x0000000000000000-mapping.dmp

memory/1172-150-0x0000000000000000-mapping.dmp

C:\Windows\System64\systemsmss.exe

MD5 bd458a26931f960f13958510e88a61a8
SHA1 be9fff29f269d649688e941e97ac03e669571837
SHA256 d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512 afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

C:\Windows\System64\systemsmss.exe

MD5 bd458a26931f960f13958510e88a61a8
SHA1 be9fff29f269d649688e941e97ac03e669571837
SHA256 d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3
SHA512 afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7