Process Create:
RuleName: technique_id=T1218,technique_name=Signed Binary Proxy Execution
UtcTime: 2023-03-15 16:24:28.533
ProcessGuid: {75b7ad2f-f13c-6411-be49-000000004700}
ProcessId: 13276
Image: C:\Windows\SysWOW64\msiexec.exe
FileVersion: 5.0.19041.2193 (WinBuild.160101.0800)
Description: Windows® installer
Product: Windows Installer - Unicode
Company: Microsoft Corporation
OriginalFileName: msiexec.exe
CommandLine: "C:\Windows\System32\msiexec.exe" /X {E80CCFE8-163C-4E2B-BC36-71B747DAD690} /l*vx+ "C:\Users\user\AppData\Local\Temp\kl-uninstall-2023-3-15-19-24-28.log" /QN DISABLEROLLBACK=1 REBOOT=ReallySuppress KLLOGIN=KLAdmin KLPASSWD=1nX/#sz^w{fAe'DT
CurrentDirectory: C:\WINDOWS\system32\
User: NT AUTHORITY\СИСТЕМА
LogonGuid: {75b7ad2f-dc48-6406-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=A5510739178F422AA33BD1EEBA57BA81C2567680,MD5=358672CD45148B835B1529D15A746847,SHA256=3247CF2A21F401513D3DB524433E8CBA7430FCFFE5BF81CE0FD90C429505F78C,IMPHASH=94A0F72DD6D0745010DB6BE24C4DBBA7
ParentProcessGuid: {75b7ad2f-f123-6411-ab49-000000004700}
ParentProcessId: 10296
ParentImage: C:\Users\user\AppData\Local\Temp\{93C0B982-A55C-43C2-9222-59FC1F8696F8}\kavremover.exe
ParentCommandLine: C:\Users\user\AppData\Local\Temp\{93C0B982-A55C-43C2-9222-59FC1F8696F8}\kavremover.exe
ParentUser: NT AUTHORITY\СИСТЕМА
File created:
RuleName: technique_id=T1574.010,technique_name=Services File Permissions Weakness
UtcTime: 2023-03-15 16:24:03.489
ProcessGuid: {75b7ad2f-f123-6411-ab49-000000004700}
ProcessId: 10296
Image: C:\Users\user\AppData\Local\Temp\{93C0B982-A55C-43C2-9222-59FC1F8696F8}\kavremover.exe
TargetFilename: C:\Windows\Temp\kavremvr-srvc 2023-03-15 19-24-03 (pid 10296).log
CreationUtcTime: 2023-03-15 16:24:03.489
User: NT AUTHORITY\СИСТЕМА