rms | 6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7

Analysis

max time kernel
155s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.exe
Size

2.0MB
MD5

b116dea2cc37290ca470c0897b525003
SHA1

fb949ccd1adc5588268fdb1e6664a6acdf05e2d7
SHA256

6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7
SHA512

e20d51db38fc449087737759f9898baff38c32cbec87a0b887d8cf30fae78f4c7622eaf52722c405fc96db233233d2d18673315125e423c09bf0243073ef9fac
SSDEEP

49152:vcH5bKv+aDrXbxG6lHVXkHkTfdDer4kE+5cc1rHVXsKAT21GBxF37o:vcZq+aDrbxxHlckxqbE+5Z1rSe1Gf6

Score

10^/10

rms evasion persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3460 created 1452 3460 svchost.exe svnhost.exe
Executes dropped EXE 2 IoCs

Processes:

svnhost.exesvnhost.exe

pid process

1452 svnhost.exe
3956 svnhost.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3388 attrib.exe

description	pid	process	target process
PID 3460 created 1452	3460	svchost.exe	svnhost.exe

pid	process
3388	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.exe

Loads dropped DLL 2 IoCs

Processes:

svnhost.exesvnhost.exe

pid process

1452 svnhost.exe
3956 svnhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svnhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	svnhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svnhost.exe = "C:\\Users\\Admin\\Birdsmade\\svnhost.exe"	svnhost.exe

Drops file in System32 directory 3 IoCs

Processes:

svnhost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svnhost.pdb	svnhost.exe
File opened for modification	C:\Windows\SysWOW64\exe\svnhost.pdb	svnhost.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\svnhost.pdb	svnhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3688 taskkill.exe
4732 taskkill.exe
3788 taskkill.exe

pid	process
3688	taskkill.exe
4732	taskkill.exe
3788	taskkill.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

svnhost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003500360030003000350022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\InternetId = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000350022003e003c0069006e007400650072006e00650074005f00690064003e003500380031002d003600360031002d003200310037003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e0074007200750065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003100390034002e00350038002e00390032002e00350039003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e0074007200750065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e003400340033003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00	svnhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\rnd = 3500390032003300380038003500	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\InternetId = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003500360030003000350022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003100390034002e00350038002e00390032002e00350039003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e0074007200750065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e003400340033003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\Password = 41004300340032004500310039003600350041003900430030003700340030003900310038003900350046003900380044003800460046004300410042004400330032004200380035003800340035003700420035004300380041003900370038003700300030003200350038003300430041003200460030003700430036004200360041003600350033003400360037004100450041003100390030004100330032003600360042004300330034003600360035003900390033004100370039003100360044003500380035004200430033004100370030003000430037003600340036003300440042003600360044004500450044003300360043004600	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\Options = 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70090c497046696c7465725479706502021750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636081141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f67557365080553696449640610312e3030303030363730313338383839084c6963656e73657306b65255542d5a2d4435373534614534323237383633443146334431663342364541323430613539626a347853326459586c52664477776e4f326f41424235465841344e58435a724d6b4264564739525846424449547733446864645241774d574652735a3249464141514844683959564778704d45594741674166414167645947566c426d63424351674542517068595767645845554f446c4e665247786b5a413458556c3547446730664f54417462564666566c304f0d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223536303035223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a0a4164646974696f6e616c0607383636323337311144697361626c65496e7465726e65744964080b536166654d6f6465536574080000	svnhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Certificates\notification = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003500360030003000360022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e007200690063006100720064006f002e0063006100760061006c006900390031003300400067006d00610069006c002e0063006f006d003c002f0065006d00610069006c003e003c00690064003e003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00350036003000300036003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00	svnhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svnhost.exe

pid	process
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe
1452	svnhost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exesvnhost.exesvchost.exesvnhost.exe

description	pid	process
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	1452	svnhost.exe
Token: SeTcbPrivilege	3460	svchost.exe
Token: SeTcbPrivilege	3460	svchost.exe
Token: SeTakeOwnershipPrivilege	3956	svnhost.exe
Token: SeTcbPrivilege	3956	svnhost.exe
Token: SeTcbPrivilege	3956	svnhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.execmd.exesvchost.exe

description	pid	process	target process
PID 2900 wrote to memory of 2328	2900	6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.exe	cmd.exe
PID 2900 wrote to memory of 2328	2900	6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.exe	cmd.exe
PID 2900 wrote to memory of 2328	2900	6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.exe	cmd.exe
PID 2328 wrote to memory of 3688	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 3688	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 3688	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 4732	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 4732	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 4732	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 3788	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 3788	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 3788	2328	cmd.exe	taskkill.exe
PID 2328 wrote to memory of 3388	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 3388	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 3388	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 5048	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 5048	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 5048	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 1452	2328	cmd.exe	svnhost.exe
PID 2328 wrote to memory of 1452	2328	cmd.exe	svnhost.exe
PID 2328 wrote to memory of 1452	2328	cmd.exe	svnhost.exe
PID 3460 wrote to memory of 3956	3460	svchost.exe	svnhost.exe
PID 3460 wrote to memory of 3956	3460	svchost.exe	svnhost.exe
PID 3460 wrote to memory of 3956	3460	svchost.exe	svnhost.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3388 attrib.exe

pid	process
3388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.exe
"C:\Users\Admin\AppData\Local\Temp\6679713eff98fb9688c93ea4fbf18b3e032951b87de9f92c78a72fce8ce01ce7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im anvir.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r "C:\Users\Admin\Birdsmade"
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d 0 /f
3⤵
PID:5048

C:\Users\Admin\Birdsmade\svnhost.exe
"C:\Users\Admin\Birdsmade\svnhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\Birdsmade\svnhost.exe
C:\Users\Admin\Birdsmade\svnhost.exe -second
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\config.dll
Filesize
3KB

MD5
91a4ef42b6c599f58d8d6ea0292e4827

SHA1
4122ce1401f57573135db4143071064c057edd16

SHA256
4c37b23151365fb28fad4b446f93bb56839ebfbc5861c50ea59d25f0f01e022e

SHA512
3e53da527b22bce594cb01394aa388812f015a07f231c2edb3c73b8d16e7d4b17238b2fbf38e3daf1037749c5d14e7f4193e9a79e4b35737266e25fc16fb4bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd
Filesize
798B

MD5
8db8a08ea64104c1fb0b5f9a30e56b0c

SHA1
767d987fdb887679cf7513aff01baf8fb23e393f

SHA256
2bda4135e21205fde780ccde8b54e458bf3249225389253d0c3f237649114008

SHA512
e37f1b2b7db1f1568d7a248921ba93df76f4459dccbef5975b92851caa27a358de177d235b540cfa5d91b6921213c22520c77fa15c9f43d8c63292c4f1cf2372

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rinit.dll
Filesize
105KB

MD5
7e4d2cb21c411c88b453b9aecd75efa0

SHA1
f1054531b5954921e0931453338322bb34816c1e

SHA256
fc4d3f734cd484d0514dcee814e4238bcba251b8735f618bbee415991360ef32

SHA512
98a0f241650c780866983ab0e24edd665c9c2761f48e847cad5b88b79c534434df1a561ae928d2a19ca476b603bbf3dcab4faccfd996754614a8650755379770

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.ini
Filesize
224B

MD5
f2c16504259552b86120bd3b3bb8cb37

SHA1
679b943d4a9d80142aac4fabe5e8dccfdf23994e

SHA256
be56123b3196282d8440216aa5f7eb455fe41554d75bcdee016d98aef46b950a

SHA512
0a61fb87cfbd290b46f8d0f923ab0325f9af3f16172aadd1be5cc6855dc06a58677cef954342432972f43797c62f6fe0722a55e3f3ba475a5820dab90a282860

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\svnhost.exe
Filesize
5.6MB

MD5
9eaf8a765669acdc1bf3501006b801e0

SHA1
f582a4e8c29856650e99bbdd62dd985ea5827e08

SHA256
4c65d5cae34c6e912d65b0de98caa8eb8315dbc7d3e7d8094a4fa261389fc0f5

SHA512
603a9374edd90ed327a32c3bb25ed8dbe2884ffc282217ac3f247ef07958d80e448d27b8ec3f6889917fe7fdbbf6c7e56df87400814918a663dca2ecac88370f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8decoder.dll
Filesize
403KB

MD5
6b04788094ecd05d610dbc0367fe49da

SHA1
23272fd3c0b4a808e94665e0e1b32dcdef31aa58

SHA256
efcb21b1caa11c8f876238beda8411b9acf4baf8a9acf946a679e120b75ad2d5

SHA512
e44bd76322df4c8cbd3a1633abe52f09732cbe1a83e80be5db7eb6b983b3898730451298df417788cda4392dfab83be3b7065e52fb43217fc5e5f719f5a3f68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\vp8encoder.dll
Filesize
685KB

MD5
b5b4a8455605319035a6392015df9edd

SHA1
702b4f6cee4b4708b9a55d561fac45738b058484

SHA256
27e0311c8b709899a31f4f16f79e6dfa2e0a6922e8f3dad56d1ade26432d443b

SHA512
8a4d84c82c506fb06efde4d6d7c304a518d385c3371284b1fdbcda7a9945301ec970aad06e0d541a79c9843a2c73a31de7571580351a375b91538ec34179c666

Download Submit
C:\Users\Admin\Birdsmade\config.dll
Filesize
3KB

MD5
91a4ef42b6c599f58d8d6ea0292e4827

SHA1
4122ce1401f57573135db4143071064c057edd16

SHA256
4c37b23151365fb28fad4b446f93bb56839ebfbc5861c50ea59d25f0f01e022e

SHA512
3e53da527b22bce594cb01394aa388812f015a07f231c2edb3c73b8d16e7d4b17238b2fbf38e3daf1037749c5d14e7f4193e9a79e4b35737266e25fc16fb4bb4

Download Submit
C:\Users\Admin\Birdsmade\rinit.dll
Filesize
105KB

MD5
7e4d2cb21c411c88b453b9aecd75efa0

SHA1
f1054531b5954921e0931453338322bb34816c1e

SHA256
fc4d3f734cd484d0514dcee814e4238bcba251b8735f618bbee415991360ef32

SHA512
98a0f241650c780866983ab0e24edd665c9c2761f48e847cad5b88b79c534434df1a561ae928d2a19ca476b603bbf3dcab4faccfd996754614a8650755379770

Download Submit
C:\Users\Admin\Birdsmade\rinit.dll
Filesize
105KB

MD5
7e4d2cb21c411c88b453b9aecd75efa0

SHA1
f1054531b5954921e0931453338322bb34816c1e

SHA256
fc4d3f734cd484d0514dcee814e4238bcba251b8735f618bbee415991360ef32

SHA512
98a0f241650c780866983ab0e24edd665c9c2761f48e847cad5b88b79c534434df1a561ae928d2a19ca476b603bbf3dcab4faccfd996754614a8650755379770

Download Submit
C:\Users\Admin\Birdsmade\rinit.dll
Filesize
105KB

MD5
7e4d2cb21c411c88b453b9aecd75efa0

SHA1
f1054531b5954921e0931453338322bb34816c1e

SHA256
fc4d3f734cd484d0514dcee814e4238bcba251b8735f618bbee415991360ef32

SHA512
98a0f241650c780866983ab0e24edd665c9c2761f48e847cad5b88b79c534434df1a561ae928d2a19ca476b603bbf3dcab4faccfd996754614a8650755379770

Download Submit
C:\Users\Admin\Birdsmade\settings.ini
Filesize
224B

MD5
f2c16504259552b86120bd3b3bb8cb37

SHA1
679b943d4a9d80142aac4fabe5e8dccfdf23994e

SHA256
be56123b3196282d8440216aa5f7eb455fe41554d75bcdee016d98aef46b950a

SHA512
0a61fb87cfbd290b46f8d0f923ab0325f9af3f16172aadd1be5cc6855dc06a58677cef954342432972f43797c62f6fe0722a55e3f3ba475a5820dab90a282860

Download Submit
C:\Users\Admin\Birdsmade\svnhost.exe
Filesize
5.6MB

MD5
9eaf8a765669acdc1bf3501006b801e0

SHA1
f582a4e8c29856650e99bbdd62dd985ea5827e08

SHA256
4c65d5cae34c6e912d65b0de98caa8eb8315dbc7d3e7d8094a4fa261389fc0f5

SHA512
603a9374edd90ed327a32c3bb25ed8dbe2884ffc282217ac3f247ef07958d80e448d27b8ec3f6889917fe7fdbbf6c7e56df87400814918a663dca2ecac88370f

Download Submit
C:\Users\Admin\Birdsmade\svnhost.exe
Filesize
5.6MB

MD5
9eaf8a765669acdc1bf3501006b801e0

SHA1
f582a4e8c29856650e99bbdd62dd985ea5827e08

SHA256
4c65d5cae34c6e912d65b0de98caa8eb8315dbc7d3e7d8094a4fa261389fc0f5

SHA512
603a9374edd90ed327a32c3bb25ed8dbe2884ffc282217ac3f247ef07958d80e448d27b8ec3f6889917fe7fdbbf6c7e56df87400814918a663dca2ecac88370f

Download Submit
C:\Users\Admin\Birdsmade\svnhost.exe
Filesize
5.6MB

MD5
9eaf8a765669acdc1bf3501006b801e0

SHA1
f582a4e8c29856650e99bbdd62dd985ea5827e08

SHA256
4c65d5cae34c6e912d65b0de98caa8eb8315dbc7d3e7d8094a4fa261389fc0f5

SHA512
603a9374edd90ed327a32c3bb25ed8dbe2884ffc282217ac3f247ef07958d80e448d27b8ec3f6889917fe7fdbbf6c7e56df87400814918a663dca2ecac88370f

Download Submit
C:\Users\Admin\Birdsmade\vp8decoder.dll
Filesize
403KB

MD5
6b04788094ecd05d610dbc0367fe49da

SHA1
23272fd3c0b4a808e94665e0e1b32dcdef31aa58

SHA256
efcb21b1caa11c8f876238beda8411b9acf4baf8a9acf946a679e120b75ad2d5

SHA512
e44bd76322df4c8cbd3a1633abe52f09732cbe1a83e80be5db7eb6b983b3898730451298df417788cda4392dfab83be3b7065e52fb43217fc5e5f719f5a3f68e

Download Submit
C:\Users\Admin\Birdsmade\vp8encoder.dll
Filesize
685KB

MD5
b5b4a8455605319035a6392015df9edd

SHA1
702b4f6cee4b4708b9a55d561fac45738b058484

SHA256
27e0311c8b709899a31f4f16f79e6dfa2e0a6922e8f3dad56d1ade26432d443b

SHA512
8a4d84c82c506fb06efde4d6d7c304a518d385c3371284b1fdbcda7a9945301ec970aad06e0d541a79c9843a2c73a31de7571580351a375b91538ec34179c666

Download Submit
memory/1452-145-0x0000000000000000-mapping.dmp

Download
memory/2328-132-0x0000000000000000-mapping.dmp

Download
memory/3388-137-0x0000000000000000-mapping.dmp

Download
memory/3688-134-0x0000000000000000-mapping.dmp

Download
memory/3788-136-0x0000000000000000-mapping.dmp

Download
memory/3956-182-0x0000000000000000-mapping.dmp

Download
memory/4732-135-0x0000000000000000-mapping.dmp

Download
memory/5048-144-0x0000000000000000-mapping.dmp

Download