rms | 98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2022, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

officedeploymenttool_15330-20230.exe
Size

4.4MB
MD5

ad65a509881ef712234bb07cb1165a46
SHA1

519a968fe267b9bf77f7ff2ba1074e8e20202d60
SHA256

98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423
SHA512

eb584be09f95f292b9cf4197685ad8762f84e39c4308eb0dfbfde2b82482cb58f13cbbde6bd49d3ad5d52bf96a8fea068de3d960a06242f25eb85d933ca322fd
SSDEEP

98304:HXz+89bq0C+fRXzclLI6bei3yTu8HsXwKcuj:3K8Bq0DfaN/3yTSAUj

Score

10^/10

rms discovery persistence rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4188 created 1776	4188	svchost.exe	99

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	3532	WScript.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3004	officedeploymenttool_15330-20230.exe
1480	Start.exe
1776	rutserv.exe
4396	rutserv.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	officedeploymenttool_15330-20230.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	rutserv.exe

Loads dropped DLL 4 IoCs

pid	Process
1776	rutserv.exe
1776	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitcoin = "c:\\ProgramData\\Immunity\\rutserv.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EC1C46868A78521D3A7ED5209EF9CB19	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

pid	Process
3468	taskkill.exe
2856	taskkill.exe
3980	taskkill.exe
1832	taskkill.exe
1272	taskkill.exe
2036	taskkill.exe
3244	taskkill.exe
2368	taskkill.exe
3084	taskkill.exe
2160	taskkill.exe
4844	taskkill.exe
2216	taskkill.exe
2472	taskkill.exe
1292	taskkill.exe
1960	taskkill.exe
2988	taskkill.exe
3700	taskkill.exe
1020	taskkill.exe
3672	taskkill.exe
1376	taskkill.exe
3172	taskkill.exe
5112	taskkill.exe
4272	taskkill.exe
920	taskkill.exe
2004	taskkill.exe
1368	taskkill.exe
4440	taskkill.exe
2892	taskkill.exe
1380	taskkill.exe
1444	taskkill.exe
1804	taskkill.exe
228	taskkill.exe
320	taskkill.exe
2084	taskkill.exe
3740	taskkill.exe
2540	taskkill.exe
4516	taskkill.exe
3668	taskkill.exe
1348	taskkill.exe
2400	taskkill.exe
1336	taskkill.exe
1532	taskkill.exe
5012	taskkill.exe
1596	taskkill.exe
2080	taskkill.exe
3700	taskkill.exe
1020	taskkill.exe
4652	taskkill.exe
2988	taskkill.exe
1884	taskkill.exe
3992	taskkill.exe
1376	taskkill.exe
2508	taskkill.exe
2440	taskkill.exe
3580	taskkill.exe
400	taskkill.exe
1880	taskkill.exe
4776	taskkill.exe
4184	taskkill.exe
4228	taskkill.exe
5020	taskkill.exe
2592	taskkill.exe
3324	taskkill.exe
344	taskkill.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	officedeploymenttool_15330-20230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	officedeploymenttool_15330-20230.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	officedeploymenttool_15330-20230.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c0000000100000004000000000800000400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	rutserv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rutserv.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	1776	rutserv.exe
Token: SeTcbPrivilege	4188	svchost.exe
Token: SeTcbPrivilege	4188	svchost.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeTakeOwnershipPrivilege	4396	rutserv.exe
Token: SeTcbPrivilege	4396	rutserv.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeTcbPrivilege	4396	rutserv.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	3668	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	3672	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	4208	taskkill.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe
4396	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3532	3660	officedeploymenttool_15330-20230.exe	83
PID 3660 wrote to memory of 3532	3660	officedeploymenttool_15330-20230.exe	83
PID 3660 wrote to memory of 3532	3660	officedeploymenttool_15330-20230.exe	83
PID 3660 wrote to memory of 3004	3660	officedeploymenttool_15330-20230.exe	84
PID 3660 wrote to memory of 3004	3660	officedeploymenttool_15330-20230.exe	84
PID 3660 wrote to memory of 3004	3660	officedeploymenttool_15330-20230.exe	84
PID 3532 wrote to memory of 1480	3532	WScript.exe	93
PID 3532 wrote to memory of 1480	3532	WScript.exe	93
PID 3532 wrote to memory of 1480	3532	WScript.exe	93
PID 1480 wrote to memory of 1096	1480	Start.exe	95
PID 1480 wrote to memory of 1096	1480	Start.exe	95
PID 1480 wrote to memory of 1096	1480	Start.exe	95
PID 1096 wrote to memory of 4164	1096	cmd.exe	97
PID 1096 wrote to memory of 4164	1096	cmd.exe	97
PID 1096 wrote to memory of 4164	1096	cmd.exe	97
PID 1096 wrote to memory of 1776	1096	cmd.exe	99
PID 1096 wrote to memory of 1776	1096	cmd.exe	99
PID 1096 wrote to memory of 1776	1096	cmd.exe	99
PID 1096 wrote to memory of 2036	1096	cmd.exe	100
PID 1096 wrote to memory of 2036	1096	cmd.exe	100
PID 1096 wrote to memory of 2036	1096	cmd.exe	100
PID 1096 wrote to memory of 3040	1096	cmd.exe	101
PID 1096 wrote to memory of 3040	1096	cmd.exe	101
PID 1096 wrote to memory of 3040	1096	cmd.exe	101
PID 1096 wrote to memory of 3700	1096	cmd.exe	102
PID 1096 wrote to memory of 3700	1096	cmd.exe	102
PID 1096 wrote to memory of 3700	1096	cmd.exe	102
PID 1096 wrote to memory of 1336	1096	cmd.exe	103
PID 1096 wrote to memory of 1336	1096	cmd.exe	103
PID 1096 wrote to memory of 1336	1096	cmd.exe	103
PID 1096 wrote to memory of 2592	1096	cmd.exe	104
PID 1096 wrote to memory of 2592	1096	cmd.exe	104
PID 1096 wrote to memory of 2592	1096	cmd.exe	104
PID 1096 wrote to memory of 3244	1096	cmd.exe	105
PID 1096 wrote to memory of 3244	1096	cmd.exe	105
PID 1096 wrote to memory of 3244	1096	cmd.exe	105
PID 1096 wrote to memory of 4184	1096	cmd.exe	107
PID 1096 wrote to memory of 4184	1096	cmd.exe	107
PID 1096 wrote to memory of 4184	1096	cmd.exe	107
PID 4188 wrote to memory of 4396	4188	svchost.exe	108
PID 4188 wrote to memory of 4396	4188	svchost.exe	108
PID 4188 wrote to memory of 4396	4188	svchost.exe	108
PID 1096 wrote to memory of 4016	1096	cmd.exe	109
PID 1096 wrote to memory of 4016	1096	cmd.exe	109
PID 1096 wrote to memory of 4016	1096	cmd.exe	109
PID 1096 wrote to memory of 1624	1096	cmd.exe	110
PID 1096 wrote to memory of 1624	1096	cmd.exe	110
PID 1096 wrote to memory of 1624	1096	cmd.exe	110
PID 1096 wrote to memory of 4228	1096	cmd.exe	111
PID 1096 wrote to memory of 4228	1096	cmd.exe	111
PID 1096 wrote to memory of 4228	1096	cmd.exe	111
PID 1096 wrote to memory of 1360	1096	cmd.exe	112
PID 1096 wrote to memory of 1360	1096	cmd.exe	112
PID 1096 wrote to memory of 1360	1096	cmd.exe	112
PID 1096 wrote to memory of 2824	1096	cmd.exe	113
PID 1096 wrote to memory of 2824	1096	cmd.exe	113
PID 1096 wrote to memory of 2824	1096	cmd.exe	113
PID 1096 wrote to memory of 1368	1096	cmd.exe	114
PID 1096 wrote to memory of 1368	1096	cmd.exe	114
PID 1096 wrote to memory of 1368	1096	cmd.exe	114
PID 1096 wrote to memory of 2368	1096	cmd.exe	115
PID 1096 wrote to memory of 2368	1096	cmd.exe	115
PID 1096 wrote to memory of 2368	1096	cmd.exe	115
PID 1096 wrote to memory of 216	1096	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\officedeploymenttool_15330-20230.exe
"C:\Users\Admin\AppData\Local\Temp\officedeploymenttool_15330-20230.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\microsoft360.vbs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\ProgramData\Start.exe
    "C:\ProgramData\Start.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Immunity\bitcoin.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bitcoin" /t REG_SZ /d "c:\ProgramData\Immunity\rutserv.exe"
        5⤵
        Adds Run key to start application
        
        PID:4164
    - - C:\ProgramData\Immunity\rutserv.exe
        
        "C:\ProgramData\Immunity\rutserv.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1776
      - C:\ProgramData\Immunity\rutserv.exe
        
        C:\ProgramData\Immunity\rutserv.exe -second
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4396
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:5012
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1348
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1832
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2400
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2216
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:3700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2004
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2472
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:3324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:5112
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:3084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:3380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2160
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1960
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:4844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:320
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:344
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:4776
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:4248
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:4652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:3740
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2988
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:4208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:4928
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:2508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        Kills process with taskkill
        
        PID:1380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "rundll32.exe"
        5⤵
        
        PID:2724
- C:\Users\Admin\AppData\Roaming\officedeploymenttool_15330-20230.exe
  "C:\Users\Admin\AppData\Roaming\officedeploymenttool_15330-20230.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Immunity\bitcoin.cmd

Filesize
254B

MD5
5e5006b2a14020e2714d314846ba6371

SHA1
a23988ea442d700fee4e570283c4a63bc61cdd5c

SHA256
708bef0dccec5ba577f5cf95709bd774f72f612105c43f17ef9b1c9a3c30762a

SHA512
be7210d7eb79048460dbd142212a1eb05f2d6b781598ec397260592d46eb0c66d3305bedc687e79e024f4d1b66474c485d758f774093e7452b0b77ab23ba4302

Download Submit
C:\ProgramData\Immunity\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\ProgramData\Immunity\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\ProgramData\Immunity\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\ProgramData\Immunity\rfusclient.exe

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\ProgramData\Immunity\russian.lg

Filesize
64KB

MD5
55a0b95a1d1b7e309f2c22af82a07cc0

SHA1
521c41e185e5b5e73cfc4e1b18646dc4ed171942

SHA256
704a1a83d11c21717c17e6a7eb264d94a98d45a7c1aba8ebb82fafc65f4f199d

SHA512
38e3a8392f84cd31b9eb12ce4fa7ed04db29f4fe4de95e52f18cdc6e7c74a0b2673d15ab40802bf289ed3a1e83526827b012ceddbb309f40c5302547ce39f5f9

Download Submit
C:\ProgramData\Immunity\rutserv.exe

Filesize
13.2MB

MD5
990a46a46e2550c2f88fbde507b7e36d

SHA1
2797ed1bfcfe5909d2d63259e6d42760ad7f5520

SHA256
31efbec8319390cfc0cbcac3932ab71aa6ef5ea4f3e90e17da166a9a52f78c7e

SHA512
530cc7624c527713eacd9c7daf8d29ef5644bdf52088efb5a1e4e797a7506676c5a7a56f66656cef2ef51e83eede422f1ca859571b6a1a0e6822c709057a4838

Download Submit
C:\ProgramData\Immunity\rutserv.exe

Filesize
13.2MB

MD5
990a46a46e2550c2f88fbde507b7e36d

SHA1
2797ed1bfcfe5909d2d63259e6d42760ad7f5520

SHA256
31efbec8319390cfc0cbcac3932ab71aa6ef5ea4f3e90e17da166a9a52f78c7e

SHA512
530cc7624c527713eacd9c7daf8d29ef5644bdf52088efb5a1e4e797a7506676c5a7a56f66656cef2ef51e83eede422f1ca859571b6a1a0e6822c709057a4838

Download Submit
C:\ProgramData\Immunity\rutserv.exe

Filesize
13.2MB

MD5
990a46a46e2550c2f88fbde507b7e36d

SHA1
2797ed1bfcfe5909d2d63259e6d42760ad7f5520

SHA256
31efbec8319390cfc0cbcac3932ab71aa6ef5ea4f3e90e17da166a9a52f78c7e

SHA512
530cc7624c527713eacd9c7daf8d29ef5644bdf52088efb5a1e4e797a7506676c5a7a56f66656cef2ef51e83eede422f1ca859571b6a1a0e6822c709057a4838

Download Submit
C:\ProgramData\Immunity\settings.dat

Filesize
6KB

MD5
6fd0f4d5c8079fc0878ee9231af53440

SHA1
7add89541e314d2e5e27eebdaf054a5083119bdd

SHA256
200555ea21bd554e0c16282d33fea73ccda37624aaffed63b14ced5ade3f033f

SHA512
38f306aaf33cb45591d4cfb22d9714fecc3dd349f3bc3e49578338ef8030b42cab42b730edfd2d5313771ca43a63531274bf458bbcc1c40c0665e8585b544983

Download Submit
C:\ProgramData\Immunity\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\ProgramData\Immunity\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\ProgramData\Immunity\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\ProgramData\Immunity\vp8decoder.dll

Filesize
380KB

MD5
1ea62293ac757a0c2b64e632f30db636

SHA1
8c8ac6f8f28f432a514c3a43ea50c90daf66bfba

SHA256
970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df

SHA512
857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

Download Submit
C:\ProgramData\Immunity\vp8encoder.dll

Filesize
1.6MB

MD5
89770647609ac26c1bbd9cf6ed50954e

SHA1
349eed120070bab7e96272697b39e786423ac1d3

SHA256
7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4

SHA512
a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

Download Submit
C:\ProgramData\Immunity\webmmux.dll

Filesize
260KB

MD5
d29f7070ee379544aeb19913621c88e6

SHA1
499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be

SHA256
654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf

SHA512
4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

Download Submit
C:\ProgramData\Immunity\webmvorbisdecoder.dll

Filesize
365KB

MD5
7a9eeac3ceaf7f95f44eb5c57b4db2e3

SHA1
be1048c254aa3114358f76d08c55667c4bf2d382

SHA256
b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88

SHA512
b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

Download Submit
C:\ProgramData\Immunity\webmvorbisencoder.dll

Filesize
860KB

MD5
5308b9945e348fbe3a480be06885434c

SHA1
5c3cb39686cca3e9586e4b405fc8e1853caaf8ff

SHA256
9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a

SHA512
4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

Download Submit
C:\ProgramData\Start.exe

Filesize
6.0MB

MD5
7f4ee2df4db93ba993748531ae3fa241

SHA1
ed33ba6de8beb198f61a7f629828378eb90426c2

SHA256
ffda77db26e59f2a8a8e1db7615b94ed1e8b2c19b6ff89c0295ff3a744378911

SHA512
a4b8e5ecb2a015eb2bcf9e431add61c432d17fe5633d5d29c4d1c8268ab85f09aa40716bd2312d2459f783856671ec20de06053399d3cb41fba1932f7ac26028

Download Submit
C:\ProgramData\Start.exe

Filesize
6.0MB

MD5
7f4ee2df4db93ba993748531ae3fa241

SHA1
ed33ba6de8beb198f61a7f629828378eb90426c2

SHA256
ffda77db26e59f2a8a8e1db7615b94ed1e8b2c19b6ff89c0295ff3a744378911

SHA512
a4b8e5ecb2a015eb2bcf9e431add61c432d17fe5633d5d29c4d1c8268ab85f09aa40716bd2312d2459f783856671ec20de06053399d3cb41fba1932f7ac26028

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft360.vbs

Filesize
465B

MD5
677ed1bfb1899a9ab007b959aa11eb24

SHA1
316ae82a87169610b12e1459b70e0d820c5f668f

SHA256
053808d02f04cbff21617dc84fb1419a9027872ea68d891c21fd4a7f121967cd

SHA512
c84e29f5aecd3c0730cf98a1961ded8ea6ac6d4db0cce5092c708c6c713d3d6cef26468b3048db2e98c618cd04fa68ab87efaa3ab5d3fd6daa0b31e9509eb933

Download Submit
C:\Users\Admin\AppData\Roaming\officedeploymenttool_15330-20230.exe

Filesize
4.4MB

MD5
e000c22430d5ac93d05294b36f90e712

SHA1
a588d552aa400bfe41b14e6984e26e44efa49bd2

SHA256
69f75ce43b6ac08fa0ad6bc040cf43c58ee0f1e595b607016a63c2478772c2f9

SHA512
0213d16c35128fadd2c01117709202b6b121fd190f5836ac8ee0834f034bdc00f1d0655bcfaac795dd81eb9e3f0ef7a0c252906f664d877794ce2cfb2027718c

Download Submit
C:\Users\Admin\AppData\Roaming\officedeploymenttool_15330-20230.exe

Filesize
4.4MB

MD5
e000c22430d5ac93d05294b36f90e712

SHA1
a588d552aa400bfe41b14e6984e26e44efa49bd2

SHA256
69f75ce43b6ac08fa0ad6bc040cf43c58ee0f1e595b607016a63c2478772c2f9

SHA512
0213d16c35128fadd2c01117709202b6b121fd190f5836ac8ee0834f034bdc00f1d0655bcfaac795dd81eb9e3f0ef7a0c252906f664d877794ce2cfb2027718c

Download Submit