azorult | a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Azorult.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

Azorult.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

Azorult.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	acprotect
C:\ProgramData\Windows\vp8decoder.dll	acprotect

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

wini.exeWScript.execheat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	cheat.exe

Executes dropped EXE 13 IoCs

Processes:

Azorult.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.execheat.exeink.exetaskhost.exeP.exe

pid	process
6448	Azorult.exe
6616	wini.exe
5884	winit.exe
4860	rutserv.exe
4812	rutserv.exe
5532	rutserv.exe
6176	rutserv.exe
6264	rfusclient.exe
1940	rfusclient.exe
1464	cheat.exe
4560	ink.exe
1328	taskhost.exe
2860	P.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\Windows\vp8decoder.dll	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Azorult.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

184 raw.githubusercontent.com
177 raw.githubusercontent.com
178 raw.githubusercontent.com

flow	ioc
184	raw.githubusercontent.com
177	raw.githubusercontent.com
178	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

Processes:

Azorult.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 577802.crdownload	autoit_exe
C:\ProgramData\Windows\winit.exe	autoit_exe
C:\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
C:\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
6928	sc.exe
2216	sc.exe
5796	sc.exe
5968	sc.exe
808	sc.exe
1992	sc.exe
6464	sc.exe
5028	sc.exe
6236	sc.exe
1648	sc.exe
3788	sc.exe
7164	sc.exe
6420	sc.exe
1704	sc.exe
3096	sc.exe
4656	sc.exe
3888	sc.exe
3160	sc.exe
2256	sc.exe
2112	sc.exe
5696	sc.exe
2216	sc.exe
5428	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2268 timeout.exe

pid	process
2268	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133552530123729688"	chrome.exe

Modifies registry class 1 IoCs

Processes:

wini.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings wini.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3620 NOTEPAD.EXE
Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

6936 regedit.exe
6832 regedit.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2572 vlc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	wini.exe

pid	process
6936	regedit.exe
6832	regedit.exe

pid	process
2572	vlc.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

chrome.exechrome.exeAzorult.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6808	chrome.exe
6808	chrome.exe
6448	Azorult.exe
6448	Azorult.exe
6448	Azorult.exe
6448	Azorult.exe
6448	Azorult.exe
6448	Azorult.exe
6448	Azorult.exe
6448	Azorult.exe
6448	Azorult.exe
6448	Azorult.exe
4860	rutserv.exe
4860	rutserv.exe
4860	rutserv.exe
4860	rutserv.exe
4860	rutserv.exe
4860	rutserv.exe
4812	rutserv.exe
4812	rutserv.exe
5532	rutserv.exe
5532	rutserv.exe
6176	rutserv.exe
6176	rutserv.exe
6176	rutserv.exe
6176	rutserv.exe
6176	rutserv.exe
6176	rutserv.exe
6264	rfusclient.exe
6264	rfusclient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2572 vlc.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

6024 chrome.exe
6024 chrome.exe
6024 chrome.exe
6024 chrome.exe
6024 chrome.exe
6024 chrome.exe
6024 chrome.exe
6024 chrome.exe

pid	process
2572	vlc.exe

pid	process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2660	firefox.exe
Token: SeDebugPrivilege	2660	firefox.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

NOTEPAD.EXEfirefox.exechrome.exe

pid	process
3620	NOTEPAD.EXE
2660	firefox.exe
2660	firefox.exe
2660	firefox.exe
2660	firefox.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

firefox.exechrome.exevlc.exe

pid	process
2660	firefox.exe
2660	firefox.exe
2660	firefox.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
2572	vlc.exe
2572	vlc.exe
2572	vlc.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

firefox.exevlc.exeAzorult.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.execheat.exeink.exetaskhost.exeP.exe

pid	process
2660	firefox.exe
2572	vlc.exe
6448	Azorult.exe
6616	wini.exe
5884	winit.exe
4860	rutserv.exe
4812	rutserv.exe
5532	rutserv.exe
6176	rutserv.exe
1464	cheat.exe
4560	ink.exe
1328	taskhost.exe
2860	P.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 4828 wrote to memory of 2660	4828	firefox.exe	firefox.exe
PID 2660 wrote to memory of 4964	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 4964	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 3344	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 2456	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 2456	2660	firefox.exe	firefox.exe
PID 2660 wrote to memory of 2456	2660	firefox.exe	firefox.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

Azorult.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

6488 attrib.exe
3084 attrib.exe

pid	process
6488	attrib.exe
3084	attrib.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\test.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.0.1378373954\692484567" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b474b62-44e0-45e4-a74c-baf3a31d0d13} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 1996 200f1bda458 gpu
3⤵
PID:4964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.1.1228510865\236798225" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {722ac1cf-1d9c-45d6-8bc3-f64f298b39d2} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 2396 200e5472558 socket
3⤵
PID:3344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.2.930142052\1472919497" -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 3168 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c230a449-2fdd-4f48-9eee-c799e68b78ff} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 3184 200f5da4c58 tab
3⤵
PID:2456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.3.650900560\23074385" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {201f9c9f-28f5-49fa-b312-50ca66cc0f9b} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 3576 200e5460758 tab
3⤵
PID:1016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.4.46110153\2119050874" -childID 3 -isForBrowser -prefsHandle 4520 -prefMapHandle 4512 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93e29117-9e71-4e15-987a-8ab3afaddd7b} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 4524 200f7acd658 tab
3⤵
PID:5096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.5.183444324\804563345" -childID 4 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ae8db25-2e27-4bdf-8c77-384c57200e67} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 5164 200f5d53858 tab
3⤵
PID:1312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.6.1200959837\515204993" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce585b9a-e93d-4f32-b073-bfd4420fb310} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 5296 200f5d53258 tab
3⤵
PID:4304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2660.7.1357739968\1958468665" -childID 6 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {298f0539-b9be-4c5a-a2f6-bb132df835d3} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" 5576 200f5d51158 tab
3⤵
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba3589758,0x7ffba3589768,0x7ffba3589778
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:2
2⤵
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:1
2⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:1
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4584 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:1
2⤵
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5060 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:6464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:6600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:6684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:6828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7235e7688,0x7ff7235e7698,0x7ff7235e76a8
3⤵
PID:6844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5596 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:1
2⤵
PID:6372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5372 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:1
2⤵
PID:6660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3160 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:1
2⤵
PID:7136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:5916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3216 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:6668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5564 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:1
2⤵
PID:6284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1696 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:6736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5236 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:1
2⤵
PID:6424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5832 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3348 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:6820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5964 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:8
2⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5820 --field-trial-handle=1876,i,1762118932768644160,7714801608572394468,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7164

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CompareBlock.avi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:6448

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
3⤵
- Checks computer location settings
PID:6312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
4⤵
PID:6464

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
5⤵
- UAC bypass
- Windows security bypass
- Runs .reg file with regedit
PID:6936

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
5⤵
- Runs .reg file with regedit
PID:6832

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:2268

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4860

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4812

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5532

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
5⤵
- Views/modifies file attributes
PID:3084

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
5⤵
- Views/modifies file attributes
PID:6488

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
5⤵
- Launches sc.exe
PID:6420

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
5⤵
- Launches sc.exe
PID:5028

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
5⤵
- Launches sc.exe
PID:6236

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5884

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1328

C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2860

C:\programdata\install\ink.exe
C:\programdata\install\ink.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
2⤵
PID:5820

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
3⤵
- Launches sc.exe
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
2⤵
PID:2276

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
3⤵
- Launches sc.exe
PID:5796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
2⤵
PID:6332

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
3⤵
- Launches sc.exe
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
2⤵
PID:1000

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
3⤵
- Launches sc.exe
PID:5968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
2⤵
PID:1508

C:\Windows\SysWOW64\sc.exe
sc delete swprv
3⤵
- Launches sc.exe
PID:3160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
2⤵
PID:3536

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
3⤵
- Launches sc.exe
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
2⤵
PID:2908

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
3⤵
- Launches sc.exe
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
2⤵
PID:6432

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
3⤵
- Launches sc.exe
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
2⤵
PID:220

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
3⤵
- Launches sc.exe
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
2⤵
PID:2184

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
3⤵
- Launches sc.exe
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
2⤵
PID:6288

C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
3⤵
- Launches sc.exe
PID:5696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
2⤵
PID:1164

C:\Windows\SysWOW64\sc.exe
sc stop Adobeflashplayer
3⤵
- Launches sc.exe
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
2⤵
PID:6856

C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayer
3⤵
- Launches sc.exe
PID:7164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MoonTitle
2⤵
PID:1480

C:\Windows\SysWOW64\sc.exe
sc stop MoonTitle
3⤵
- Launches sc.exe
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
2⤵
PID:5028

C:\Windows\SysWOW64\sc.exe
sc delete MoonTitle"
3⤵
- Launches sc.exe
PID:5428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop AudioServer
2⤵
PID:5680

C:\Windows\SysWOW64\sc.exe
sc stop AudioServer
3⤵
- Launches sc.exe
PID:6464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AudioServer"
2⤵
PID:5264

C:\Windows\SysWOW64\sc.exe
sc delete AudioServer"
3⤵
- Launches sc.exe
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
2⤵
PID:6732

C:\Windows\SysWOW64\sc.exe
sc stop clr_optimization_v4.0.30318_64
3⤵
- Launches sc.exe
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
2⤵
PID:6312

C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30318_64"
3⤵
- Launches sc.exe
PID:6928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
2⤵
PID:7064

C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftMysql
3⤵
- Launches sc.exe
PID:3888

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6176

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6264

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
3⤵
PID:3528

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery