Malware Analysis Report

2024-11-30 19:52

Sample ID 220129-e1gjhadbc8
Target 9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36
SHA256 9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36
Tags
rms rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36

Threat Level: Known bad

The file 9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36 was found to be: Known bad.

Malicious Activity Summary

rms rat trojan

RMS

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Delays execution with timeout.exe

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-29 04:24

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-29 04:24

Reported

2022-01-29 08:38

Platform

win10-en-20211208

Max time kernel

170s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe"

Signatures

RMS

trojan rat rms

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\exe\snpt.pdb C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\snpt.pdb C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
File opened for modification C:\Windows\SysWOW64\snpt.pdb C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 908 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 780 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 780 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 780 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 780 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 780 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 780 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 780 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 780 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 780 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 780 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 780 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 780 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 780 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 780 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 780 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 780 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 780 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 780 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe

"C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Windows.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im svnhost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemsmss.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im svshost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemswin.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systems.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systeminfo.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Users\Admin\AppData\Local\Temp\snpt.exe

snpt.exe /silentinstall

C:\Users\Admin\AppData\Local\Temp\snpt.exe

snpt.exe /firewall

C:\Users\Admin\AppData\Local\Temp\snpt.exe

snpt.exe /start

C:\Users\Admin\AppData\Local\Temp\snpt.exe

C:\Users\Admin\AppData\Local\Temp\snpt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/908-117-0x0000000000DA0000-0x0000000000E4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows.bat

MD5 600d738bdd22241289654e0d635475de
SHA1 665373ad38eaa073a6216a6eb643701234fbe15b
SHA256 d23f0b1a6b5f9b74cbf736aa4bb4759b9dcab5345f414c20dfd3067cb8ff4d94
SHA512 a9c6230c70bd80485efde127a3da92ab34f09eb43ee2238079c0ba45ba2d773fa2dee25051489030f8c4e98b32c07af5c5783a2cf8be253d88108df3794f92fe

C:\Users\Admin\AppData\Local\Temp\regedit.reg

MD5 9d6d4c13bf2c8a0443aa1fb593304625
SHA1 65b1580716476ef0bea3ed2aa15b7cbc638af1a8
SHA256 0f3b3801fe96ed320b05e3e0c818a7f4104b708750f193508637a762952bc9b8
SHA512 45d543fc23810a67a110f1d0f926cebbc6afd6f20076128a54180a2d3af6c871f560a7b3b9ea1f477341a49b1bcb3fa786149af0f9604d2ec8072ffc77281334

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

memory/912-122-0x0000000000B00000-0x0000000000B01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

memory/3760-124-0x0000000000C00000-0x0000000000C23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

memory/1952-126-0x0000000000AB0000-0x0000000000B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

memory/2232-128-0x00000000001D0000-0x00000000001F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-29 04:24

Reported

2022-01-29 08:38

Platform

win7-en-20211208

Max time kernel

155s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe"

Signatures

RMS

trojan rat rms

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\snpt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 524 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 524 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 524 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 524 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 524 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 524 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 524 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 524 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 524 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 524 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 524 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 524 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 524 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe
PID 524 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\snpt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe

"C:\Users\Admin\AppData\Local\Temp\9b1bd4ac06317156fdd4d2cb6b416ed81ad2785ca3d14370f39b16dcde4aba36.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Windows.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im svnhost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemsmss.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im svshost.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemswin.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systems.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systeminfo.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Users\Admin\AppData\Local\Temp\snpt.exe

snpt.exe /silentinstall

C:\Users\Admin\AppData\Local\Temp\snpt.exe

snpt.exe /firewall

C:\Users\Admin\AppData\Local\Temp\snpt.exe

snpt.exe /start

C:\Users\Admin\AppData\Local\Temp\snpt.exe

C:\Users\Admin\AppData\Local\Temp\snpt.exe

Network

Country Destination Domain Proto
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1576-54-0x0000000075601000-0x0000000075603000-memory.dmp

memory/1576-55-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows.bat

MD5 600d738bdd22241289654e0d635475de
SHA1 665373ad38eaa073a6216a6eb643701234fbe15b
SHA256 d23f0b1a6b5f9b74cbf736aa4bb4759b9dcab5345f414c20dfd3067cb8ff4d94
SHA512 a9c6230c70bd80485efde127a3da92ab34f09eb43ee2238079c0ba45ba2d773fa2dee25051489030f8c4e98b32c07af5c5783a2cf8be253d88108df3794f92fe

C:\Users\Admin\AppData\Local\Temp\regedit.reg

MD5 9d6d4c13bf2c8a0443aa1fb593304625
SHA1 65b1580716476ef0bea3ed2aa15b7cbc638af1a8
SHA256 0f3b3801fe96ed320b05e3e0c818a7f4104b708750f193508637a762952bc9b8
SHA512 45d543fc23810a67a110f1d0f926cebbc6afd6f20076128a54180a2d3af6c871f560a7b3b9ea1f477341a49b1bcb3fa786149af0f9604d2ec8072ffc77281334

\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

memory/1632-63-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

memory/2004-67-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

C:\Users\Admin\AppData\Local\Temp\snpt.exe

MD5 356366b526741ee3e73b26d3099af92e
SHA1 a7844f82ab773e478dae6bb1d42c5b51535cc44d
SHA256 578db3dcb81d025381ee22908c3459ec9835269b91e2f8c318fa173bd2eebd84
SHA512 dcd3ea1ba3a7f988868312ed290dce98c6fd57fa6dace43f59192c7f93e86a572fb0f14fe35b84b8e28f227ee06550ebc94e49fb39bd274492934ae9129f74f5

memory/1748-73-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7