Analysis Overview
SHA256
0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db
Threat Level: Known bad
The file 0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Sets file to hidden
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious behavior: SetClipboardViewer
Views/modifies file attributes
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Runs .reg file with regedit
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 01:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 01:31
Reported
2022-01-28 01:35
Platform
win7-en-20211208
Max time kernel
144s
Max time network
158s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
Sets file to hidden
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe
"C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svnhost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemsmss.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svshost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im upgradewin.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im updated.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemswin.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systems.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systeminfo.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\System Corporation Update" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Users\Admin\AppData\Local\Temp\svshost.exe
svshost.exe /silentinstall
C:\Users\Admin\AppData\Local\Temp\svshost.exe
svshost.exe /firewall
C:\Users\Admin\AppData\Local\Temp\svshost.exe
svshost.exe /start
C:\Users\Admin\AppData\Local\Temp\svshost.exe
C:\Users\Admin\AppData\Local\Temp\svshost.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Windows\System64" /S /D
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1084-54-0x0000000075341000-0x0000000075343000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | 65fc32766a238ff3e95984e325357dbb |
| SHA1 | 3ac16a2648410be8aa75f3e2817fbf69bb0e8922 |
| SHA256 | a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420 |
| SHA512 | 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608 |
C:\Users\Admin\AppData\Local\Temp\install.bat
| MD5 | e595f1eed00fef50a90ede49468cbe60 |
| SHA1 | 62d19a693bc252b889d684a147cf0206f77e7576 |
| SHA256 | 55faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1 |
| SHA512 | 4c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b |
C:\Users\Admin\AppData\Local\Temp\regedit.reg
| MD5 | b5da186c88f3e629882a94768910ac4a |
| SHA1 | 8fa7b238cf4f08dc04ed54334bf1e6834781733e |
| SHA256 | f2cfedc94567c049ae83f884d54c8b6e2758372adee9e9e50e16d76add165000 |
| SHA512 | 0829d0f16e689897737f0c57055723bece8a943ee394a785c38ae18903bcf2bbd254132b078f88724a03c319f57b072d9b8a546bbb85778b01865aaadc4cba0e |
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/1160-64-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/1360-68-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/1544-74-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
memory/1760-76-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
memory/764-84-0x0000000000230000-0x0000000000231000-memory.dmp
memory/872-83-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 01:31
Reported
2022-01-28 01:35
Platform
win10-en-20211208
Max time kernel
150s
Max time network
166s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
Sets file to hidden
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upgradewin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svshost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe
"C:\Users\Admin\AppData\Local\Temp\0473a7c90dcb06493817a6c6ebde0a4d6418dde8572af848cd8a518b42fab0db.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svnhost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemsmss.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im svshost.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im upgradewin.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im updated.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemswin.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systems.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systeminfo.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\System Corporation Update" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Users\Admin\AppData\Local\Temp\svshost.exe
svshost.exe /silentinstall
C:\Users\Admin\AppData\Local\Temp\svshost.exe
svshost.exe /firewall
C:\Users\Admin\AppData\Local\Temp\svshost.exe
svshost.exe /start
C:\Users\Admin\AppData\Local\Temp\svshost.exe
C:\Users\Admin\AppData\Local\Temp\svshost.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Windows\System64" /S /D
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.19:443 | tcp | |
| US | 52.109.8.19:443 | tcp | |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | 65fc32766a238ff3e95984e325357dbb |
| SHA1 | 3ac16a2648410be8aa75f3e2817fbf69bb0e8922 |
| SHA256 | a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420 |
| SHA512 | 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608 |
C:\Users\Admin\AppData\Local\Temp\install.bat
| MD5 | e595f1eed00fef50a90ede49468cbe60 |
| SHA1 | 62d19a693bc252b889d684a147cf0206f77e7576 |
| SHA256 | 55faa864b3d8af8ee2560acc9bc002b296b375b209056d16fe9aa057859205c1 |
| SHA512 | 4c3a0d3275c2d809da77d7ce6aa560dd9827023de653a4bca6dbbb276fd1c1f9166537054bbdc7a02c2950488d7e658d989f0c76245f60e163ba917dc83f6a7b |
C:\Users\Admin\AppData\Local\Temp\regedit.reg
| MD5 | b5da186c88f3e629882a94768910ac4a |
| SHA1 | 8fa7b238cf4f08dc04ed54334bf1e6834781733e |
| SHA256 | f2cfedc94567c049ae83f884d54c8b6e2758372adee9e9e50e16d76add165000 |
| SHA512 | 0829d0f16e689897737f0c57055723bece8a943ee394a785c38ae18903bcf2bbd254132b078f88724a03c319f57b072d9b8a546bbb85778b01865aaadc4cba0e |
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/2336-206-0x0000000000BE0000-0x0000000000D2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
memory/4056-209-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svshost.exe
| MD5 | 8d071134c46b96619483975fc06a4c2a |
| SHA1 | b6e20f7de308a6e6a9852965e25b581f34e8227b |
| SHA256 | b7c95085ba862cb754172780279fd14e2cb49e805d8a06d28116e26330148ed0 |
| SHA512 | 5ead70b3abeb8aceffd94335d348b2cc02e122cd87f69e31ea3887c4217ecbf93963338fa7f374d8ca1034b43318b001d7feb4ff75575fe436e15908c0ec4b03 |
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
memory/4012-212-0x00000000001D0000-0x00000000001F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |
memory/320-215-0x0000000000B60000-0x0000000000B61000-memory.dmp
memory/3000-216-0x0000000002700000-0x0000000002701000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\upgradewin.exe
| MD5 | d8aa01236323dab4facb72d3af631203 |
| SHA1 | 01f18748f9c95121e22df54b192b383baff6b802 |
| SHA256 | 29ee12279007926e198af8d85a4dd15478db05d4ac2465f02af7c4315d7320df |
| SHA512 | e2b38f3f978afcc7d547d4c3f8f9b882ae6f12df1747fd7bd91a45ea5226fbbdd3fa20835a4765f7d471c50d473cae3f37e7f0c97dbc6fb7c0450f604502da8a |