azorult | hxxp://adfly[.]com

Windows Service

Disable or Modify Tools

Processes:

Azorult.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

regedit.exeAzorult.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

Processes:

regedit.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
4760	bcdedit.exe
3584	bcdedit.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

Processes:

Azorult.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe

Modifies Windows Firewall 2 TTPs 10 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
396	netsh.exe
4748	netsh.exe
4824	netsh.exe
2108	netsh.exe
3684	netsh.exe
3980	netsh.exe
1748	netsh.exe
4396	netsh.exe
3020	netsh.exe
3324	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023717-2036.dat	acprotect
behavioral1/files/0x0007000000023716-2035.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023714-2002.dat	aspack_v212_v242
behavioral1/files/0x0007000000023713-2038.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

wini.exeWScript.execheat.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cheat.exe

Executes dropped EXE 13 IoCs

Processes:

wini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.execheat.exeink.exetaskhost.exeP.exerfusclient.exe

pid	Process
1216	wini.exe
3432	winit.exe
3904	rutserv.exe
2108	rutserv.exe
4200	rutserv.exe
4016	rutserv.exe
1896	rfusclient.exe
2880	rfusclient.exe
3324	cheat.exe
4812	ink.exe
912	taskhost.exe
1128	P.exe
2348	rfusclient.exe

Loads dropped DLL 1 IoCs

Processes:

[email protected]

pid	Process
2808	[email protected]

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023717-2036.dat	upx
behavioral1/files/0x0007000000023716-2035.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

ColorBug.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

ChilledWindows.exe

description	ioc	Process
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
540	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023715-1989.dat	autoit_exe
behavioral1/files/0x000700000002371f-2084.dat	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

[email protected]

description	ioc	Process
File created	C:\Windows\File Cache\Spark.exe	[email protected]
File opened for modification	C:\Windows\File Cache\Spark.exe	[email protected]
File created	C:\Windows\File Cache\Initialised	[email protected]
File created	C:\Windows\File Cache\DLL.dll	[email protected]
File created	C:\Windows\File Cache\IFEO.exe	[email protected]
File created	C:\Windows\File Cache\Driver.sys	[email protected]

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
4364	sc.exe
2568	sc.exe
3584	sc.exe
2224	sc.exe
1944	sc.exe
2184	sc.exe
4440	sc.exe
4852	sc.exe
1256	sc.exe
4748	sc.exe
2140	sc.exe
3024	sc.exe
2712	sc.exe
3192	sc.exe
3644	sc.exe
3900	sc.exe
2340	sc.exe
4824	sc.exe
5060	sc.exe
1684	sc.exe
1808	sc.exe
2080	sc.exe
2068	sc.exe
3912	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

winit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 2 IoCs

Processes:

timeout.exetimeout.exe

pid	Process
2140	timeout.exe
3572	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616163983168443"	chrome.exe

Modifies registry class 6 IoCs

Processes:

winit.exechrome.exeChilledWindows.exewini.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{3921183F-59A7-48FB-AD9B-028123BD3274}	ChilledWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	wini.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid	Process
3520	regedit.exe
4364	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeAzorult.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exewinit.exe

pid	Process
3680	chrome.exe
3680	chrome.exe
2300	chrome.exe
2300	chrome.exe
4716	Azorult.exe
4716	Azorult.exe
4716	Azorult.exe
4716	Azorult.exe
4716	Azorult.exe
4716	Azorult.exe
4716	Azorult.exe
4716	Azorult.exe
4716	Azorult.exe
4716	Azorult.exe
3904	rutserv.exe
3904	rutserv.exe
3904	rutserv.exe
3904	rutserv.exe
3904	rutserv.exe
3904	rutserv.exe
2108	rutserv.exe
2108	rutserv.exe
4200	rutserv.exe
4200	rutserv.exe
4016	rutserv.exe
4016	rutserv.exe
4016	rutserv.exe
4016	rutserv.exe
4016	rutserv.exe
4016	rutserv.exe
2880	rfusclient.exe
2880	rfusclient.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe
3432	winit.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

Processes:

chrome.exe

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid	Process
2348	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Azorult.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.execheat.exeink.exetaskhost.exeP.exe

pid	Process
4716	Azorult.exe
1216	wini.exe
3432	winit.exe
3904	rutserv.exe
2108	rutserv.exe
4200	rutserv.exe
4016	rutserv.exe
3324	cheat.exe
4812	ink.exe
912	taskhost.exe
1128	P.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 3680 wrote to memory of 3504	3680	chrome.exe	82
PID 3680 wrote to memory of 3504	3680	chrome.exe	82
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4268	3680	chrome.exe	84
PID 3680 wrote to memory of 4100	3680	chrome.exe	85
PID 3680 wrote to memory of 4100	3680	chrome.exe	85
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86
PID 3680 wrote to memory of 2512	3680	chrome.exe	86

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2008	attrib.exe
1736	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://adfly.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee015ab58,0x7ffee015ab68,0x7ffee015ab78
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:2
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3180 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4272 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4700 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4464 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5104 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3080 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4536 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4432 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1652 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5200 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4288 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5104 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2940 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3288 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3224 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5268 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5600 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5940 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5864 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5984 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6116 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=4668 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5912 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=5060 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=4432 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4484 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 --field-trial-handle=1900,i,13976507798558723274,3504594423693674641,131072 /prefetch:8
  2⤵
  PID:5064

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2008

C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\Alerta.exe
"C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\Alerta.exe"
1⤵
PID:4608

C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\ChilledWindows.exe
"C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\ChilledWindows.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
PID:5108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x328 0x384
1⤵
PID:4720

C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\ColorBug.exe
"C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\ColorBug.exe"
1⤵
- Adds Run key to start application
PID:2092

C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\Azorult.exe
"C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\Azorult.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4716
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1216
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    - Checks computer location settings
    PID:4268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:1352
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:4364
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:3520
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2140
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3904
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2108
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4200
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:2008
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:1736
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:2224
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:3900
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:3024
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:3080
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:3572
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3324
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:912
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1128
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:516
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\sc.exe
    sc delete AdobeFlashPlayer
    3⤵
    - Launches sc.exe
    PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:644
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  PID:3304
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\sc.exe
    sc delete MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:3196
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:540
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:4156
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  PID:884

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4016
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2348
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1896

C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\[email protected]
"C:\Users\Admin\Downloads\Virus-Database-main\Virus-Database-main\[email protected]"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2808
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" -set nointegritychecks on
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4760
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" -set testsigning on
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery